topic Re: Certificate templates for EAP-TLS in Network Access Control

Certificate templates for EAP-TLS

rkazmierczak — Wed, 23 May 2018 07:35:59 GMT

Hi,

Are there recommended user and device certificate templates, the ones used in Windows CA for example. I have seen diffrent ways of doing it - diffrent values for SAN field for example.

The reason I ask is that I am wondering how the device group membership in AD is checked with EAP-TLS. I suppose it's one of the LDAP attributes? I'd like to use device group membership in the authorisation rules.

Thanks,

Rafal

Re: Certificate templates for EAP-TLS

Craig Hyps — Wed, 23 May 2018 12:20:33 GMT

Typically the Cert Auth Profile specifies the certificate field that contains the user id in AD. Often this the Subject CN. This value is then used to fetch group memberships like we would for any other type of Authorization. Optionally you can assign values to specific cert fields like OU to have additional policy conditions such as IF OU=DivisionX, THEN ...

Specific to LDAP queries, the LDAP server definition defines the attribute in LDAP used to perform group membership lookups.

/Craig

Re: Certificate templates for EAP-TLS

rkazmierczak — Wed, 23 May 2018 12:33:16 GMT

Hi Craig,

How about the device certificate? what should I put in the subject name and what should I match for in the certificate profile? and finally how will the hostname be "extracted" so that a search in the AD can be done?

Thanks,

Rafal

Re: Certificate templates for EAP-TLS

Craig Hyps — Wed, 23 May 2018 12:50:54 GMT

MAC address can be used.

Re: Certificate templates for EAP-TLS

rkazmierczak — Wed, 23 May 2018 13:47:15 GMT

is it possible to do a search for AD group membership based on MAC address?

Re: Certificate templates for EAP-TLS

Craig Hyps — Wed, 23 May 2018 13:53:40 GMT

yes, for LDAP. For AD, it depends on how accounts are stored. You could also set the FQDN or UPN in cert field.

Re: Certificate templates for EAP-TLS

rkazmierczak — Wed, 23 May 2018 14:39:38 GMT

thanks.