Security

AirHeads:

I'm attempting to migrate our FreeRadius implementation to ClearPass - and while I have something working ... it's rather embarrasingly messy.

For example: in my main role map, I'm checking that the Certificate:Issuer-CN EQUALS "/CN=WPI NetOps Wireless CA...." using the full Certificate Path as the string match.  As I said it works, but I have these huge long strings which are subject to typos not easily discovered.  It gets worse when you want to add in both your production CA and test CA in the same BELONGS_TO in order to make sure either certificate gives the same results.

This seems rather silly, as I've already been able to upload the CA Certificate to the ClearPass appliance.  Is there any way to reference the CA I've uploaded rather than typing in the full certificate path?  Perhaps some shiny, happy click of a few checkboxes?

Thanks!

When used in a role map, that's likely the only way to get an exact match.

Do I sense an RFE in the future for this particular UI challenge?

In this particular case, it would be nice to simply be able to select from the CA Certificates already uploaded to CPPM to match against.  If you would like an example UI, create a Role Mapping rule for Authorization:Sources MATCHES_ANY.  That gives you a list of all the Auth Sources and the ability to simply select those you want to match against.  However, since you are likely to have many more CA certficates than Auth Sources, some sort of check box rather than CTRL-Click might be appropraite.

I don't have a problem matching on the Certificate Path - it's just a little unwieldy and prone to typos that aren't easily caught that wouldn't happen in a different interface.

And the email is off to my SE.  Thanks Tim!