Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
1
Replies

(BYOD) Using EAP Cert Common Name to confirm valid AD account.

Go to solution
Scott Gillies
Level 1
Level 1

‎04-08-2019 07:15 AM

Hi

 

I have a BYOD service that uses Active Directory (AD) to autenticate users to allow them to on-board and obtain a user EAP cert, the common name on the issued cert being the username. Once on-boarded the EAPTLS connection to the network is transparent to the user and requires no further input.

 

As part of the authorization I also want to check that the cert common name (the users name) is also a current/valid username on the AD.

 

Is it possible to create an authorization policy that includes passively checking the validity of the username on the AD?

i.e. if (Wireless_802.1X AND EAP-TLS certificate:common name Equals valid AD:username)

 

Is this possible?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-08-2019 07:50 AM

What you are trying to accomplish can be setup this way:
Setup an External Identity Source - Certificate authentication profile. Within the profile, map the identity store to your active directory. Then use identity from certificate attribute of choice (common name).

Within your policy set setup your authentication conditions as you wish and set the result to use the certificate authentication profile you created. If you want to test this in somewhat of a passive mode you have a couple options. One scenario can be setting If auth fail AND/OR if user not found 'Continue'. I wouldn't recommend doing this as it decreases security. This will allow you to check the validity of the username in AD.

In your authz conditions you can set something up that verifies the certificate issuer-common name equals your sub-ca where you obtained your certificate. This looks like this:
CERTIFICATE:Issuer - Common NAME Equals <info>

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-08-2019 07:50 AM

What you are trying to accomplish can be setup this way:
Setup an External Identity Source - Certificate authentication profile. Within the profile, map the identity store to your active directory. Then use identity from certificate attribute of choice (common name).

Within your policy set setup your authentication conditions as you wish and set the result to use the certificate authentication profile you created. If you want to test this in somewhat of a passive mode you have a couple options. One scenario can be setting If auth fail AND/OR if user not found 'Continue'. I wouldn't recommend doing this as it decreases security. This will allow you to check the validity of the username in AD.

In your authz conditions you can set something up that verifies the certificate issuer-common name equals your sub-ca where you obtained your certificate. This looks like this:
CERTIFICATE:Issuer - Common NAME Equals <info>
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents