What is Certificate filtering criteria for connections in VIA?

MVP Expert
MVP Expert
Q:

What is Certificate filtering criteria for connection in VIA?



A:

 

In versions prior to VIA 3.2.0, when clients attempt to connect with a profile using a certificate for authentication, it displays all the available certificates for the end user to select. This approach does not allow the administrator control over which certificates are presented to the client.

 

In VIA 3.2.0, the administrator can edit this criteria to manage which certificates a client is allowed to view/select. This criteria shall be configured in the Certificate Criteria entry under the connection profiles in the controller. This feature is supported in ArubaOS 8.1 onwards.

 

The criteria text can be constructed as "key1=value1;key2=value2;.." format. Each of the value here can be a standard regular expression. Key can be a x509 OID/OID text.

•ex: "organizationalUnitName=SmartCard;emailAddress=@hpe.com" 
select only the certificates that has "SmartCard" in the OU and emailAddress field contains "@hpe.com" text.

•ex: "organizationalUnitName=SmartCard;emailAddress=@hpe.com|@arubanetworks.com" 
select only the certificates that has "SmartCard" in the OU and has email address from domains hpe.com or arubanetworks.com.

 

•Common certificate fields/extensions and attributes are  used in the criteria.

•The following values (RFC 5280) are used as keys :

Text

OID

commonName

2.5.4.3

organizationalUnitName

2.5.4.11

organizationName

2.5.4.10

subjectAltName

2.5.29.17

certificateIssuer

2.5.29.29

userPrincipalName

1.3.6.1.4.1.311.20.2.3

emailAddress

1.2.840.113549.1.9.1

friendlyName

1.2.840.113549.1.9.20

 

To Configure:

===========

 

1.Goto “Configuration à Authentication à L3 Authentication à  VIA connection profile  

2.Locate “Certificate Criteria” & Enter the desired criteria for filtering.

 Example: certificateIssuer=customer-1-WIN-XSHSQH1EKMR-CA

 

 

On the client, download the VIA profile and initiate connection. Only the certificates which meet the criteria will be listed for selection. Ex: ISSUER as “customer-1-WIN-XSHSQH1EKMR-CA” will be listed for authentication.

 

 

Note: If there happens to be only one certificate available with the ISSUER as “customer-1-WIN-XSHSQH1EKMR-CA”, then connection will be established automatically “without prompting user” to select a certificate

 

Debugging:

==========

 

Check the C:\ProgramData\Aruba Networks\VIA\anuacui.txt logs

 

Sep 08 11:23:22.389  p6088  t28cc  TRACE ANDialog  161  Download profile response provided

Sep 08 11:23:22.404  p6088  tf5c  INFO anctl  99  OS is 64 bit

Sep 08 11:23:22.404  p6088  tf5c  DEBUG anappM  2243  ShowConfigDialogSpinnerInUI: Downloading VPN Profile.

Sep 08 11:23:22.404  p6088  tf5c  INFO CertificateSelectionDialog_managed  188  Filtering criteria seccessfully set to : certificateIssuer=customer-1-WIN-XSHSQH1EKMR-CA

Sep 08 11:23:22.404  p6088  tf5c  WARNING CertificateSelectionDialog_managed  223  Filtering Criteria: Rejected: sample@hpe.com

Sep 08 11:23:22.404  p6088  tf5c  WARNING CertificateSelectionDialog_managed  223  Filtering Criteria: Rejected: 46E9780C-7EAE-4E36-AF9D-AFEAB408F67C

Sep 08 11:23:22.404  p6088  tf5c  WARNING CertificateSelectionDialog_managed  223  Filtering Criteria: Rejected: ClearPass Onboard Local Certificate Authority (Signing)

Sep 08 11:23:22.404  p6088  tf5c  WARNING CertificateSelectionDialog_managed  223  Filtering Criteria: Rejected: sample

Sep 08 11:23:22.404  p6088  tf5c  WARNING CertificateSelectionDialog_managed  223  Filtering Criteria: Rejected: sample

Sep 08 11:23:22.404  p6088  tf5c  INFO CertificateSelectionDialog_managed  227  Filtering Criteria: Shortlisted: Administrator1024

Sep 08 11:23:22.404  p6088  tf5c  DEBUG anappM  2243  ShowConfigDialogSpinnerInUI: Downloading VPN Profile..

Sep 08 11:23:22.404  p6088  tf5c  INFO anctl  585  Trying to connect on port (8085)

Sep 08 11:23:22.404  p6088  tf5c  INFO ansocket  375  Attempting to connect too : 10.17.12.12 port : 8085

Sep 08 11:23:22.405  p6088  tf5c  INFO ansocket  470  Connection established to : 10.17.12.12 port : 8085

Version history
Revision #:
2 of 2
Last update:
‎07-31-2019 03:44 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: