Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass EAP-TLS Certificate Comparison

This thread has been viewed 57 times

  • 1.  ClearPass EAP-TLS Certificate Comparison

    Posted May 22, 2023 10:13 AM

    Hi All,

    What does it mean Compare Subject Alternate Name (SAN) in ClearPass EAP-TLS Certificate Comparison?
    Client is MS Intune device and client certificate has SAN.

    Thanks



  • 2.  RE: ClearPass EAP-TLS Certificate Comparison

    Posted May 22, 2023 02:16 PM

    Traditionally this is used to compare a value from one of the certificate fields to an object in Active Directory.  Not sure how this plays into an InTune device, or if this option is even possible.


    Original Message


  • 3.  RE: ClearPass EAP-TLS Certificate Comparison

    Posted May 23, 2023 02:11 AM

    Intune devices are not domain joined and there are not corresponding objects in Active Directory.


    Original Message


  • 4.  RE: ClearPass EAP-TLS Certificate Comparison
    Best Answer

    EMPLOYEE
    Posted May 26, 2023 11:20 AM

    What ahollifield describes is the Authorization checkbox in the EAP-TLS Method. The Compare (CN/DN/SAN/CN-SAN) compares the username that is sent to a field in the certificate. With EAP-TLS the client can select an arbitrary username that is used, and without comparison that name is then used to lookup authorization in AD/Intune. With the comparison enabled, if the username sent does not match the field, the authentication will fail. For me with Intune the Compare CN or SAN works fine, as long as the username sent matches the UPN/E-mail. The CN for Intune should be set to the Intune Device ID, so that won't match and with a Compare CN the authentication is supposed to fail.

    Long story, but failing compare between the username sent and the selected fields in the certificates will reject the authentication to avoid username spoofing.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 5.  RE: ClearPass EAP-TLS Certificate Comparison

    MVP
    Posted May 30, 2023 07:33 AM

    What you are describing is not TLS recommended practices according to the PRC6216 standard.

    It states :

       o  It is no longer recommended that the identity presented in the
      EAP-Response/Identity be compared to the identity provided in the
      peer certificate.

    Further, 

    It is RECOMMENDED that the Identity Response be used primarily for
      routing purposes and selecting which EAP method to use.  EAP
      Methods SHOULD include a method-specific mechanism for obtaining
      the identity, so that they do not have to rely on the Identity
      Response.


    It iS possible to configure ClearPass to use the certificate Subject-CN for authentication & authorization, but it is not the normal configuration.

    I personally recommend anyone configuring ClearPass for EAP-TLS familiarize themselves with the standard. https://www.rfc-editor.org/rfc/rfc5216.txt



    ------------------------------
    Bruce Osborne ACCP ACMP
    Liberty University

    The views expressed here are my personal views and not those of my employer
    ------------------------------

    Original Message