I'd like to have a better understanding of the Method Details for EAP-TLS. Specifically, these options:
Authorization required
I'm not sure how this differs from checking the authorization box in the Service that I create or if checking this option under EAP-TLS is required for authorization attributes to be pulled auotmatically?
Certificate Comparison
What do I gain by performing a certificate comparison? All of our user certs are issued automatically by AD. I want to be sure that as long as the cert hasn't expired or been revoked, and the user's account hasn't been disabled that they'll be authenticated.
Verify Certificate using OCSP
This is for verifying that a certificate hasn't been revoked using OCSP only, right? Our certs only include a CRL URL so will the validity of the certs not be verified using a CRL?
======================================= If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
I know the thread is a bit old, but I was looking for the same issue and I want to share my Information:
Authorization required You need to untick this option, when you don't want to use an additional Authentication source. The Authentication Sources then wouldn't be used. See: Cert only authentication (EAP-TLS)
Certificate Comparison If you choose i.e. Common Name (CN) then the certificate common name would be check against the provided common name of the device.
Verify Certificate using OCSP At this point I don't know to handle CRL, but if you are using OSCP, why not to use this as a validation mechanism?
thank you for sharing that information Marcel. that is what airheads is about.
as for ocsp / crl i don't believe many systems will check crl urls themselves, that is something the client can do if it wants to. crls are often local anyway, so the clearpass might not be even able to reach it. ocsp is the way to go.
