Security

Have just implemented an onboard solution but we've now lost the ability to put users into roles based on their AD username since the android network settings replace this with ":n:Onboarddevice"

 

I notice that the common name on each user's cert is still their AD username. Is it possible to use this attribute of the certificate in an enforcement policy using AD authorization?

You should be able to.  Are you using TLS for Onboard?  If so, then the username within the TLS cert is preserved and then used for AD authorization.

The identity is still passed as the user's username. The certificate is simply their secured password. Do you have AD as an authorization source in your EAP-TLS service?

So this mainly affects android which still uses PEAPafter onboarding.

 

Our ios devices sitll have the correct username, but definitely the outer identity is being replaced with ":n:Onboardevice" for all android certs, where 'n' is the serial number of the certificate being created by onboard.

 

How can I access the common name attribute in the cert? It's not present under the onboard devices repo.

 

edit: screenshot for proof :)

Can you please try to use TLS for the Android devices as well?  

What version are you running?

Android should be using TLS as well.

The certificate information is available under the "Certificate" source.

Ok thought it was just a limitation.. will try changing to TLS in the network protocol settings..

This customer is running latest 6.3.4.

cheers

It worked, kudos to you both.

 

Probably the default settings for android (and windows?) should be updated to TLS.

 

 

As of 6.4 all the defaults for network settings are TLS