Security

Hello. Excuse my lack of specific knowledge, I am posting this for our engineer who manages this environment. We have Clearpass, Active Directory, and a Windows PKI. Domain users and domain computers are automatically enrolling in a certificate template provided via GPO. Everything works well unless one of our users needs to change his/her username due to marriage, divorce, etc... At that point we have to delete the cert from the local store and have the user log off / login again to get a new cert with the changed username. 

Is this just something we need to live with or is there a better way to setup our environment... aside from machine only authentication. 

Thanks

if you want to be perfect, yes you need to keep updating the user cert by 'regenerating' the cert.

regen cert = locally delete and repull the new user cert by doing gpupdate /force

but have you tried not to locally delete and repull the new one ? coz actually by my exp, authenticating with a not-up-to-date cert will still work, bcoz i presume in AD side you just need to change the person's full name due to her/his legal matter.
Original Message:
Sent: Jun 30, 2022 04:20 PM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD


Hello. Excuse my lack of specific knowledge, I am posting this for our engineer who manages this environment. We have Clearpass, Active Directory, and a Windows PKI. Domain users and domain computers are automatically enrolling in a certificate template provided via GPO. Everything works well unless one of our users needs to change his/her username due to marriage, divorce, etc... At that point we have to delete the cert from the local store and have the user log off / login again to get a new cert with the changed username. 

Is this just something we need to live with or is there a better way to setup our environment... aside from machine only authentication. 

Thanks

Unfortunately, not deleting/repulling a new cert leaves the user with limited network access requiring the manual intervention.
Original Message:
Sent: Jun 30, 2022 08:55 PM
From: BERNHARD HUSTOMO
Subject: EAP-TLS and username changes in AD


if you want to be perfect, yes you need to keep updating the user cert by 'regenerating' the cert.

regen cert = locally delete and repull the new user cert by doing gpupdate /force

but have you tried not to locally delete and repull the new one ? coz actually by my exp, authenticating with a not-up-to-date cert will still work, bcoz i presume in AD side you just need to change the person's full name due to her/his legal matter.
Original Message:
Sent: Jun 30, 2022 04:20 PM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD


Hello. Excuse my lack of specific knowledge, I am posting this for our engineer who manages this environment. We have Clearpass, Active Directory, and a Windows PKI. Domain users and domain computers are automatically enrolling in a certificate template provided via GPO. Everything works well unless one of our users needs to change his/her username due to marriage, divorce, etc... At that point we have to delete the cert from the local store and have the user log off / login again to get a new cert with the changed username. 

Is this just something we need to live with or is there a better way to setup our environment... aside from machine only authentication. 

Thanks

Correct.  You could disable Authorization for the EAP-TLS Authentication method.  As long as the user has a valid certificate (not expired or revoked) then ClearPass will permit them access to the network.  ClearPass then won't attempt to compare the certificate to an account in AD.  You would also need to remove any authorization conditions that reference AD groups too.
Original Message:
Sent: Jul 01, 2022 07:50 AM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD

Unfortunately, not deleting/repulling a new cert leaves the user with limited network access requiring the manual intervention.
Original Message:
Sent: Jun 30, 2022 08:55 PM
From: BERNHARD HUSTOMO
Subject: EAP-TLS and username changes in AD


if you want to be perfect, yes you need to keep updating the user cert by 'regenerating' the cert.

regen cert = locally delete and repull the new user cert by doing gpupdate /force

but have you tried not to locally delete and repull the new one ? coz actually by my exp, authenticating with a not-up-to-date cert will still work, bcoz i presume in AD side you just need to change the person's full name due to her/his legal matter.
Original Message:
Sent: Jun 30, 2022 04:20 PM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD


Hello. Excuse my lack of specific knowledge, I am posting this for our engineer who manages this environment. We have Clearpass, Active Directory, and a Windows PKI. Domain users and domain computers are automatically enrolling in a certificate template provided via GPO. Everything works well unless one of our users needs to change his/her username due to marriage, divorce, etc... At that point we have to delete the cert from the local store and have the user log off / login again to get a new cert with the changed username. 

Is this just something we need to live with or is there a better way to setup our environment... aside from machine only authentication. 

Thanks

Good information. I appreciate the responses.

I know this isn't the forum for a certificate question, but figure I will ask anyway...
One question I have regarding this issue is any new user will pull a good cert. Why isn't a new cert pulled when the user logs in after a name change?
Original Message:
Sent: Jul 01, 2022 08:06 AM
From: Unknown User
Subject: EAP-TLS and username changes in AD

Correct.  You could disable Authorization for the EAP-TLS Authentication method.  As long as the user has a valid certificate (not expired or revoked) then ClearPass will permit them access to the network.  ClearPass then won't attempt to compare the certificate to an account in AD.  You would also need to remove any authorization conditions that reference AD groups too.
Original Message:
Sent: Jul 01, 2022 07:50 AM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD

Unfortunately, not deleting/repulling a new cert leaves the user with limited network access requiring the manual intervention.
Original Message:
Sent: Jun 30, 2022 08:55 PM
From: BERNHARD HUSTOMO
Subject: EAP-TLS and username changes in AD


if you want to be perfect, yes you need to keep updating the user cert by 'regenerating' the cert.

regen cert = locally delete and repull the new user cert by doing gpupdate /force

but have you tried not to locally delete and repull the new one ? coz actually by my exp, authenticating with a not-up-to-date cert will still work, bcoz i presume in AD side you just need to change the person's full name due to her/his legal matter.
Original Message:
Sent: Jun 30, 2022 04:20 PM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD


Hello. Excuse my lack of specific knowledge, I am posting this for our engineer who manages this environment. We have Clearpass, Active Directory, and a Windows PKI. Domain users and domain computers are automatically enrolling in a certificate template provided via GPO. Everything works well unless one of our users needs to change his/her username due to marriage, divorce, etc... At that point we have to delete the cert from the local store and have the user log off / login again to get a new cert with the changed username. 

Is this just something we need to live with or is there a better way to setup our environment... aside from machine only authentication. 

Thanks

I just thought through my own question...
The fact there is already a cert in the user's personal cert store.
Original Message:
Sent: Jul 01, 2022 08:20 AM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD

Good information. I appreciate the responses.

I know this isn't the forum for a certificate question, but figure I will ask anyway...
One question I have regarding this issue is any new user will pull a good cert. Why isn't a new cert pulled when the user logs in after a name change?
Original Message:
Sent: Jul 01, 2022 08:06 AM
From: Unknown User
Subject: EAP-TLS and username changes in AD

Correct.  You could disable Authorization for the EAP-TLS Authentication method.  As long as the user has a valid certificate (not expired or revoked) then ClearPass will permit them access to the network.  ClearPass then won't attempt to compare the certificate to an account in AD.  You would also need to remove any authorization conditions that reference AD groups too.
Original Message:
Sent: Jul 01, 2022 07:50 AM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD

Unfortunately, not deleting/repulling a new cert leaves the user with limited network access requiring the manual intervention.
Original Message:
Sent: Jun 30, 2022 08:55 PM
From: BERNHARD HUSTOMO
Subject: EAP-TLS and username changes in AD


if you want to be perfect, yes you need to keep updating the user cert by 'regenerating' the cert.

regen cert = locally delete and repull the new user cert by doing gpupdate /force

but have you tried not to locally delete and repull the new one ? coz actually by my exp, authenticating with a not-up-to-date cert will still work, bcoz i presume in AD side you just need to change the person's full name due to her/his legal matter.
Original Message:
Sent: Jun 30, 2022 04:20 PM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD


Hello. Excuse my lack of specific knowledge, I am posting this for our engineer who manages this environment. We have Clearpass, Active Directory, and a Windows PKI. Domain users and domain computers are automatically enrolling in a certificate template provided via GPO. Everything works well unless one of our users needs to change his/her username due to marriage, divorce, etc... At that point we have to delete the cert from the local store and have the user log off / login again to get a new cert with the changed username. 

Is this just something we need to live with or is there a better way to setup our environment... aside from machine only authentication. 

Thanks

There is only one case (so far thru my exp) that the cert will automatically get replaced by the new one (auto repull), which is... if the expiry date is extended (in Microsoft CA there is this option to auto-generate a new cert if its expiry date is near).
Original Message:
Sent: Jul 01, 2022 08:31 AM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD

I just thought through my own question...
The fact there is already a cert in the user's personal cert store.
Original Message:
Sent: Jul 01, 2022 08:20 AM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD

Good information. I appreciate the responses.

I know this isn't the forum for a certificate question, but figure I will ask anyway...
One question I have regarding this issue is any new user will pull a good cert. Why isn't a new cert pulled when the user logs in after a name change?
Original Message:
Sent: Jul 01, 2022 08:06 AM
From: Unknown User
Subject: EAP-TLS and username changes in AD

Correct.  You could disable Authorization for the EAP-TLS Authentication method.  As long as the user has a valid certificate (not expired or revoked) then ClearPass will permit them access to the network.  ClearPass then won't attempt to compare the certificate to an account in AD.  You would also need to remove any authorization conditions that reference AD groups too.
Original Message:
Sent: Jul 01, 2022 07:50 AM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD

Unfortunately, not deleting/repulling a new cert leaves the user with limited network access requiring the manual intervention.
Original Message:
Sent: Jun 30, 2022 08:55 PM
From: BERNHARD HUSTOMO
Subject: EAP-TLS and username changes in AD


if you want to be perfect, yes you need to keep updating the user cert by 'regenerating' the cert.

regen cert = locally delete and repull the new user cert by doing gpupdate /force

but have you tried not to locally delete and repull the new one ? coz actually by my exp, authenticating with a not-up-to-date cert will still work, bcoz i presume in AD side you just need to change the person's full name due to her/his legal matter.
Original Message:
Sent: Jun 30, 2022 04:20 PM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD


Hello. Excuse my lack of specific knowledge, I am posting this for our engineer who manages this environment. We have Clearpass, Active Directory, and a Windows PKI. Domain users and domain computers are automatically enrolling in a certificate template provided via GPO. Everything works well unless one of our users needs to change his/her username due to marriage, divorce, etc... At that point we have to delete the cert from the local store and have the user log off / login again to get a new cert with the changed username. 

Is this just something we need to live with or is there a better way to setup our environment... aside from machine only authentication. 

Thanks

Two Options:

1. Do what you are doing today
2. Switch to machine authentication

The reason this doesn't work is because once the user's account name in AD changes, it no longer will match the certificate for the user on the computer.  So when ClearPass recevies the username from the CN (or SAN field or wherever) of the certificate, it will look up that user in AD.  This will fail since the username no longer exists in AD.
Original Message:
Sent: Jun 30, 2022 04:20 PM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD


Hello. Excuse my lack of specific knowledge, I am posting this for our engineer who manages this environment. We have Clearpass, Active Directory, and a Windows PKI. Domain users and domain computers are automatically enrolling in a certificate template provided via GPO. Everything works well unless one of our users needs to change his/her username due to marriage, divorce, etc... At that point we have to delete the cert from the local store and have the user log off / login again to get a new cert with the changed username. 

Is this just something we need to live with or is there a better way to setup our environment... aside from machine only authentication. 

Thanks

I just think of other option, maybe we can revoke the cert from the server ?
You may try to explore OCSP thingy, but I am not entirely sure if : once you revoked, the old cert will still be there or not, and once the user re-login, will it repull a new cert or not, and then the last thing, will the user's endpoint authenticate using the revoked one or the new one it just repulls ... ?

There is another alternative to OCSP, you can put CRL address in the clearpass and set to periodically query the CRL server about the revoked list.

And one other thing you can try , is creating a new Authentication Method , and select what you want to compare against the cert attributes, as below:


Original Message:
Sent: Jun 30, 2022 04:20 PM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD


Hello. Excuse my lack of specific knowledge, I am posting this for our engineer who manages this environment. We have Clearpass, Active Directory, and a Windows PKI. Domain users and domain computers are automatically enrolling in a certificate template provided via GPO. Everything works well unless one of our users needs to change his/her username due to marriage, divorce, etc... At that point we have to delete the cert from the local store and have the user log off / login again to get a new cert with the changed username. 

Is this just something we need to live with or is there a better way to setup our environment... aside from machine only authentication. 

Thanks

Good suggestion. I don't know enough about how the auth method works to speak to this, but I will definitely run it by the engineer who manages our CP install. 

Thank you!
Original Message:
Sent: Jul 01, 2022 10:38 PM
From: BERNHARD HUSTOMO
Subject: EAP-TLS and username changes in AD

I just think of other option, maybe we can revoke the cert from the server ?
You may try to explore OCSP thingy, but I am not entirely sure if : once you revoked, the old cert will still be there or not, and once the user re-login, will it repull a new cert or not, and then the last thing, will the user's endpoint authenticate using the revoked one or the new one it just repulls ... ?

There is another alternative to OCSP, you can put CRL address in the clearpass and set to periodically query the CRL server about the revoked list.

And one other thing you can try , is creating a new Authentication Method , and select what you want to compare against the cert attributes, as below:


Original Message:
Sent: Jun 30, 2022 04:20 PM
From: Gideon Kane
Subject: EAP-TLS and username changes in AD


Hello. Excuse my lack of specific knowledge, I am posting this for our engineer who manages this environment. We have Clearpass, Active Directory, and a Windows PKI. Domain users and domain computers are automatically enrolling in a certificate template provided via GPO. Everything works well unless one of our users needs to change his/her username due to marriage, divorce, etc... At that point we have to delete the cert from the local store and have the user log off / login again to get a new cert with the changed username. 

Is this just something we need to live with or is there a better way to setup our environment... aside from machine only authentication. 

Thanks