Security

Reply
Occasional Contributor II

Certificate expiry

We are using EAP-TLS for wired lan

We want to make a condition in the enforcement policy that if certificate expiry is greater than 6 weeks then allow else deny

In certificate attributes it only gives option to put a specific date but does not give option to put a week or a month time .

How to we achieve this ?
MVP Guru

Re: Certificate expiry

If the certificate expires the device won’t be able to connect successfully via 802.1X

You might be able to have a workaround using mac authentication


Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Certificate expiry

Hi Victor,

Thanks what if certificate is revoked?

We are not using any crl/oscp.

So if certificate is revoked manually by PKi team, will endpoint be able to connect?


Also how do we use cert expiry condition for 6 weeks.

There is some time database for it?
Highlighted
MVP Guru

Re: Certificate expiry

If you don’t have CRL or OCSP the device will still able to connect if the certificate was revoked (I recommend using OCSP)

You will need to use the [Time Source] as an authorization source and add a custom query based on the time you want (6 weeks) ClearPass to enforce
Here you go:
https://community.arubanetworks.com/t5/Security/Handling-certificate-expiration/m-p/93812#M6703



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II

Re: Certificate expiry

Hi Victor,

Thanks for your response .always appreciated.

We can't use crl and oscp as customer don't want to use it .

Is there any other condition we can put within enforcement rules which check revocation ?
Super Contributor I

Re: Certificate expiry

It's only possible to check the certificates using OCSP/CRL. It's really strange that the customer doesn't want to use OCSP/CRL to check if the certificate is still valid.

 

Please discuss with the customer to use OCSP/CRL, that is the way to go.


Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
MVP Guru

Re: Certificate expiry

Forget CRL for the original question: detect if a certificate is less than 6 weeks valid. The answer was provided already above: https://community.arubanetworks.com/t5/Security/Handling-certificate-expiration/m-p/95282/highlight/true#M6708

 

In a nutshell: you create a time source that calculates the current time + 6 weeks as 'now + 6 weeks'. Then in your role mapping or enforcement, you compare 'now + 6 weeks' > %{Certificate:Not-Valid-After}, which checks if the certificate is still valid 6 weeks from now, and return a captive portal to explain the user what he/she should do and allow access to AD/PKI/MDM/EMM so the client can retrieve a new certificate.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: