Security

Reply
Valued Contributor I

TLS CNs and matching with AD usernames

I have some Role generation rules that assign specific Roles based upon whether a user is in a specific AD group e.g. "UoY NEtwork Group" role assignment if (Authorization:UoY AD Authentication:memberOf  CONTAINS cn=g0790stf,ou=Inst,ou=Groups,ou=UoY,DC=its,DC=york,DC=ac,DC=uk

 

When creating eap-tls client certificates I set up the CN to be "userid-{4 digit hex number}@york.ac.uk"

 

This sort of screws up the UoY Network Group Role "as userid-abcd@york.ac.uk" certainly isn't in that AD group.

 

Is there any way of using a regex to strip out  my userid from the start of the Full-Username and use that when comparing against contents of an AD group 

 

Guru Elite

Re: TLS CNs and matching with AD usernames

Is the fully qualified username correct in any part of the certificate?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Valued Contributor I

Re: TLS CNs and matching with AD usernames

Actually the solution was simple ( thanks to the PM I received from an Airheads user). All I had to do was replace

 

user:@,\:user

 

with 

 

user:-,user:@,\:user

 

in the service processsing the eap-tls stuff

 

and it all worked, e.g. for CN=as1558-abcd@york.ac.uk the username becomes as1558, which is what we want

Rgds

Alex

 

MVP

Re: TLS CNs and matching with AD usernames

Thanks for the tip, that may work with a TLS vs. AD username problem I'm facing as well.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: