Wifi certificate auth from AD CS and UserPrincipalName?
Hi, I'm not an Aruba Networks guru but I've been around the block a few times with other vendors solutions :-)
I currently manage our internal AD PKI and we're looking to deploy authentication for WiFi devices (IOS and Android for now). I have a certificate template created for this and the UserPrincipalName is stamped to the Subject of each user cert. As part of the auth process we would like to have the issued certificate validated against the logged on user and the UPN stamped on the certificate (and issued from specific CA's). We would like more than the presence of an internally issued cert to be the means of authentication.
I haven't found any solid write ups on this.
Has anyone done something like this on Aruba? I've done it on Cisco ACS a few years back and their EAP-TLS configuration wasn't easy then either!
thanks in advance!
Re: Wifi certificate auth from AD CS and UserPrincipalName?
Unsure if there is a good write up, but you should create a new AD Authentication sources that queries based on the UPN rather than on the SAMAccountName (default).
If you use both SAMAccountName and UPN in the same service, you can add both Authentication sources, if you just use one of them, remove the other.
For the new Authentication Source you will need to modify the Attribute filters. Easiest is to start with the Normal Active Directory template, and modify the filters. I assume you can figure out the exact filters.
In the Attributes tab, you see all the attribute queries:
If you then edit each of the queries, you can see and modify the query to get attributes based on another attribute than the standard SAMAccountName:
Here is an example where in a single filter SAMAccountName OR mail fields are checked:
Does this help? You may share the filter that you came up with after testing, to help others in the same situation.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).