Security

So my understanding with EAP-TLS is it doesn't very the user has an active AD account as part of authentication, it only looks at the validitiy of the certification.

 

Can you still pull the username from the certificate for authorization purposes? So we can still write policy that says "If user = memberof HR" assign VLAN 10?

Yes, you can still use identity store data for authorization including checks for account status and group membership.

So during authentication is ClearPass somehow extracting the username from the certificate?

 

So a user could pass auth with a certificate, but if their AD account was deleted they may not get proper authorization (thus access reject)

The username is based on the EAP identity (what you see as IETF:User-Name)

Dug a little deeper and found this. 

 

https://www.arubanetworks.com/techdocs/ClearPass/6.7/Aruba_DeployGd_HTML/Content/A%20802.1X%20EAP-PEAP%20Reference/EAP_PEAP_handshake.htm

 

This actually really helepd me understand EAP a bit better.

 

How is that outer identity defined by the supplicant?

 

I'm assuming with PEAP it would be based on if you're doing user or machine on the supplicant it would either know to use the username or the machine name?

 

 

Most operating systems will pull the UPN or RFC822 name from the cert. Some will also allow it to be manually defined.

Thanks! This was extremely helpful in making some things click before the ACCP tomorrow :) 

You may need to strip out the domain out of the cert CN in order to find the account in AD. For example, mobile devices enrolled in Airwatch had certs presenting 'user@domain.com' and I had to strip out the '@domain.com' in order to authorize based on group membership