I am building an EAP-TLS service.Have done this many times before and normally check the CN in the certificate against another source such as Active Directory.
However in this project there will be potentially tens of different origins of valid certificates, and there is no single auth source to check them against. Moreover we don't actually want to check any client CNs at all - we only care about other attributes of the certificate which will be checked in the enforcement stage.
And we don't want to maintain any list of valid client CNs as there will be thousands and they are managed separately.
Bottom line, Clearpass requires we select an authentication source in the service definition. The certificate CN gets mapeed to Authentication:Username and checked against this source. Is there a workaround where Clearppas can accept any CN without checking an auth source?