Security

Hello,

I'm wondering if the following is possible with OnBoard (single provisioning SSID):

We'd like to have have users authenticate via AD (EAP-PEAP) when on-boarding thier device but we want to put the users in different roles based on what AD group they are in once they are provisioned and authenticating with EAP-TLS.

Is it possible to write an attribute into the clients certificate (during the provisioning authorization service) process based on what AD group they belong to so that we can filter for that attribute when doing EAP-TLS authentication to dervie the correct role?

I can see that there is an option in provisioning settings under 'Web Logins' to enter a custom field that will be written into the client certificate, but my understadning is that this requires user input in the login page. What we're after is automatic mapping of AD group to client certificate attribute. Is this possible?

Many thanks, any assiatance is appreciated

It's not recommended to embed dynamic data like group membership into the certificate because then the information can easily become dated.

Instead, you can use AD as an authorization source and check group membership directly from Active Directory in real-time. This also allows you to verify whether the AD account for the user is still enabled.

Thanks for your reply. This is the part that I'm confused about, if the user is provisioned and using EAP-TLS to authenticate with CP, how does CP know the users credentials to pass to the AD? Wouldn't the user only present their client certificate without AD credentials? Does CP cache the credentials from the first time they authenticate with EAP-PEAP and pass them on again at a later date?

ClearPass uses the AD bind account during authorization to pull the user properties based on the username in the certificate.