Security

I have an issue when doing Windows EAP-TLS on wired Auth - (Windows 10, OS-CX and CPPM) - the environment does NOT use the email as username which is different from most set-ups. Usernames are a 6 digits ID.

The PC has Group Policy and a user cert, but when it authenticate it uses the email address as username - resulting in user not found.

I have 2 options I think
A: Its the PC determines whats sent in the EAP packet and therefore it must be changed on the PC. It can't be influenced by the switch or CPPM
or 
B: Is there an option for ClearPass to look at the CN  = XXX of the user

The cert on the machine is in the username,

In your EAP-TLS method (Configuration » Authentication » Methods) select Certificate Comparison option and change to whatever field in the Certificate the username is.  Is the username within any field in that certificate though?  If not you have two options:

• Have PKI admin add the username to a field in the certificate.
• Change AD to use email for username.

Original Message:
Sent: Aug 15, 2022 07:05 AM
From: Andrew Partridge
Subject: EAP-TLS Windows Client not using username - Can ClearPass check on CN


I have an issue when doing Windows EAP-TLS on wired Auth - (Windows 10, OS-CX and CPPM) - the environment does NOT use the email as username which is different from most set-ups. Usernames are a 6 digits ID.

The PC has Group Policy and a user cert, but when it authenticate it uses the email address as username - resulting in user not found.

I have 2 options I think
A: Its the PC determines whats sent in the EAP packet and therefore it must be changed on the PC. It can't be influenced by the switch or CPPM
or 
B: Is there an option for ClearPass to look at the CN  = XXX of the user

The cert on the machine is in the username,

Option C: Change the AD Query to search for the e-mail in AD: https://www.youtube.com/watch?v=5HD3-2APAUs

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 15, 2022 07:05 AM
From: Andrew Partridge
Subject: EAP-TLS Windows Client not using username - Can ClearPass check on CN


I have an issue when doing Windows EAP-TLS on wired Auth - (Windows 10, OS-CX and CPPM) - the environment does NOT use the email as username which is different from most set-ups. Usernames are a 6 digits ID.

The PC has Group Policy and a user cert, but when it authenticate it uses the email address as username - resulting in user not found.

I have 2 options I think
A: Its the PC determines whats sent in the EAP packet and therefore it must be changed on the PC. It can't be influenced by the switch or CPPM
or 
B: Is there an option for ClearPass to look at the CN  = XXX of the user

The cert on the machine is in the username,

Thanks, this was what I needed to see
Original Message:
Sent: Aug 17, 2022 04:47 AM
From: Herman Robers
Subject: EAP-TLS Windows Client not using username - Can ClearPass check on CN

Option C: Change the AD Query to search for the e-mail in AD: https://www.youtube.com/watch?v=5HD3-2APAUs

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 15, 2022 07:05 AM
From: Andrew Partridge
Subject: EAP-TLS Windows Client not using username - Can ClearPass check on CN


I have an issue when doing Windows EAP-TLS on wired Auth - (Windows 10, OS-CX and CPPM) - the environment does NOT use the email as username which is different from most set-ups. Usernames are a 6 digits ID.

The PC has Group Policy and a user cert, but when it authenticate it uses the email address as username - resulting in user not found.

I have 2 options I think
A: Its the PC determines whats sent in the EAP packet and therefore it must be changed on the PC. It can't be influenced by the switch or CPPM
or 
B: Is there an option for ClearPass to look at the CN  = XXX of the user

The cert on the machine is in the username,