Security

Reply
Occasional Contributor II

EAP-TLS + Authorization

So my understanding with EAP-TLS is it doesn't very the user has an active AD account as part of authentication, it only looks at the validitiy of the certification.

 

Can you still pull the username from the certificate for authorization purposes? So we can still write policy that says "If user = memberof HR" assign VLAN 10?

Guru Elite

Re: EAP-TLS Authorization

Yes, you can still use identity store data for authorization including checks for account status and group membership.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: EAP-TLS Authorization

So during authentication is ClearPass somehow extracting the username from the certificate?

 

So a user could pass auth with a certificate, but if their AD account was deleted they may not get proper authorization (thus access reject)

Guru Elite

Re: EAP-TLS Authorization

The username is based on the EAP identity (what you see as IETF:User-Name)

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: EAP-TLS Authorization

Dug a little deeper and found this. 

 

https://www.arubanetworks.com/techdocs/ClearPass/6.7/Aruba_DeployGd_HTML/Content/A%20802.1X%20EAP-PEAP%20Reference/EAP_PEAP_handshake.htm

 

This actually really helepd me understand EAP a bit better.

 

How is that outer identity defined by the supplicant?

 

I'm assuming with PEAP it would be based on if you're doing user or machine on the supplicant it would either know to use the username or the machine name?

 

 

Guru Elite

Re: EAP-TLS Authorization

Most operating systems will pull the UPN or RFC822 name from the cert. Some will also allow it to be manually defined.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: EAP-TLS Authorization

Thanks! This was extremely helpful in making some things click before the ACCP tomorrow :) 

Frequent Contributor I

Re: EAP-TLS Authorization

You may need to strip out the domain out of the cert CN in order to find the account in AD. For example, mobile devices enrolled in Airwatch had certs presenting 'user@domain.com' and I had to strip out the '@domain.com' in order to authorize based on group membership
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: