Security

I am building an EAP-TLS service.Have done this many times before and normally check the CN in the certificate against another source such as Active Directory.

However in this project there will be potentially tens of different origins of valid certificates, and there is no single auth source to check them against. Moreover we don't actually want to check any client CNs at all - we only care about other attributes of the certificate which will be checked in the enforcement stage.

And we don't want to maintain any list of valid client CNs as there will be thousands and they are managed separately.

Bottom line, Clearpass requires we select an authentication source in the service definition. The certificate CN gets mapeed to Authentication:Username and checked against this source. Is there a workaround where Clearppas can accept any CN without checking an auth source?

 

Created a custom auth method and disable comparison and authorization. Then just throw AD in there because you have to define a source.

Sent from Nine<>

Perfect. I added Local User Repository which is empty and works fine.

 

I almost looked up what that checkbox did, but the term authorization threw me - not quite the correct term to use there. 

 

thanks Cappalli