Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Certificate expiry

This thread has been viewed 7 times

  • 1.  Certificate expiry

    Posted Jul 23, 2019 11:17 AM
    We are using EAP-TLS for wired lan

    We want to make a condition in the enforcement policy that if certificate expiry is greater than 6 weeks then allow else deny

    In certificate attributes it only gives option to put a specific date but does not give option to put a week or a month time .

    How to we achieve this ?


  • 2.  RE: Certificate expiry

    Posted Jul 23, 2019 03:54 PM
    If the certificate expires the device won’t be able to connect successfully via 802.1X

    You might be able to have a workaround using mac authentication


    Sent from Mail for Windows 10


  • 3.  RE: Certificate expiry

    Posted Jul 23, 2019 09:50 PM
    Hi Victor,

    Thanks what if certificate is revoked?

    We are not using any crl/oscp.

    So if certificate is revoked manually by PKi team, will endpoint be able to connect?


    Also how do we use cert expiry condition for 6 weeks.

    There is some time database for it?


  • 4.  RE: Certificate expiry

    Posted Jul 23, 2019 10:23 PM
    If you don’t have CRL or OCSP the device will still able to connect if the certificate was revoked (I recommend using OCSP)

    You will need to use the [Time Source] as an authorization source and add a custom query based on the time you want (6 weeks) ClearPass to enforce
    Here you go:
    https://community.arubanetworks.com/t5/Security/Handling-certificate-expiration/m-p/93812#M6703



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 5.  RE: Certificate expiry

    Posted Jul 23, 2019 10:54 PM
    Hi Victor,

    Thanks for your response .always appreciated.

    We can't use crl and oscp as customer don't want to use it .

    Is there any other condition we can put within enforcement rules which check revocation ?


  • 6.  RE: Certificate expiry

    Posted Jul 24, 2019 01:52 AM

    It's only possible to check the certificates using OCSP/CRL. It's really strange that the customer doesn't want to use OCSP/CRL to check if the certificate is still valid.

     

    Please discuss with the customer to use OCSP/CRL, that is the way to go.



  • 7.  RE: Certificate expiry

    EMPLOYEE
    Posted Jul 24, 2019 02:53 AM

    Forget CRL for the original question: detect if a certificate is less than 6 weeks valid. The answer was provided already above: https://community.arubanetworks.com/t5/Security/Handling-certificate-expiration/m-p/95282/highlight/true#M6708

     

    In a nutshell: you create a time source that calculates the current time + 6 weeks as 'now + 6 weeks'. Then in your role mapping or enforcement, you compare 'now + 6 weeks' > %{Certificate:Not-Valid-After}, which checks if the certificate is still valid 6 weeks from now, and return a captive portal to explain the user what he/she should do and allow access to AD/PKI/MDM/EMM so the client can retrieve a new certificate.