Include Email within Onboard client certificate for AD and Guest Users for certificate expiry notification

Aruba Employee
Aruba Employee

rtaImage (12).pngIntroduction- Starting from 6.4 we have an option to send expiry notification for Onboarded users beginning from 4 weeks prior to expiry. That would need the Email attribute to be included within the certificate. This article helps us configure our Onboard authorization service to include the email address within the client certificate for AD and Guest Users.


Environment- This configuration has been tested and found to be working in ClearPass version 6.4.3

Configuration Steps- To start with, the setting that you need to enable for sending notification to Onboarded users before certificate expiry is under Onboard>>Provisioning Settings>>General.

rtaImage (3).png


When we go through the Service templates and create a service for Onboard it creates two services of type application along with the dot1x service one for Pre-Auth and the other for Onboard Authorizaation. The changes that we are going to do would be on the Onboard Authorization service. We are going to cover the config steps to include email in the certificate for both AD and Guest Users

For AD Users

When you configure an AD auth source the Email attribute is fetched as part of the default attributes

rtaImage (4).png

We need to make use of this attribute and return it while authorizing an AD user. We need to configure an enforcement profile for that.

rtaImage (5).png

In this case the name of the AD auth source is "Lab AD" you can replace that with the name of the AD source configured. 

We can return this as an enforcement profile in our Onboard Authorization service for all users who have an email attribute attached to their AD account. Make sure you add the AD as an authorization source

rtaImage (6).png


Once we configure this the email address of the user would be returned as an attribute for the authorization request

rtaImage (7).png

This would result in the email address being included in the certificate and the expiry notification would be delivered to the user.

rtaImage (8).png



Guest Users

We would not fetch the Email attribute automatically as a part of authorization attributes for Guests, we need to put in a custom SQL query which helps us fetch their email as a part of Guest authorization.

In Guest User Repository we need to add an additional filter that fetches the email for us. 

rtaImage (9).png


Put in this SQL Query in the Filter Query Column

select t2.tag_value AS GuestUser_Email
FROM tips_guest_users g
LEFT JOIN tips_guest_user_tag_mappings t1 ON ( = t1.instance_id)
LEFT JOIN tips_tag_values t2 ON (t1.tag_value_id =
WHERE (g.guest_type = 'USER')
  AND (g.user_id = '%{Authentication:Username}')
  AND (t2.tag_id = (SELECT id FROM tips_tag_definitions WHERE name = 'Email' AND entity_id = (SELECT id FROM tips_dic_internal WHERE dic_prefix = 'GuestUser')));


rtaImage (10).png



Now that we configured this filter we could start using Guest-User-Email as an authorization attribute and write its value to the cert. 

We need to create an enforcement profile similar to what we did for AD Users on Guest Users also.

rtaImage (11).png

and enforce that for all Guest Users with an email address

rtaImage (12).png

Once we do that we should be able to observe the email address being returned even for Guest Users during Onboard authorization.

rtaImage (13).png

and us returning the email to write it on to the certificate

rtaImage (14).png

Similar to AD Users, certificates created from Guest Accounts would also have their certificate hardcoded with the email address

rtaImage (15).png

Verification- We can verify the above setup by following the above configuration steps and Onboard with an AD account and Guest account and in both cases we should see the certificate containing the email address.

Version history
Revision #:
1 of 1
Last update:
‎04-01-2015 09:50 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: