cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1965
Views
1
Helpful
6
Replies

Certificate templates for EAP-TLS

rkazmierczak
Level 1
Level 1

Hi,

Are there recommended user and device certificate templates, the ones used in Windows CA for example. I have seen diffrent ways of doing it - diffrent values for SAN field for example.

The reason I ask is that I am wondering how the device group membership in AD is checked with EAP-TLS. I suppose it's one of the LDAP attributes?  I'd like to use device group membership in the authorisation rules.

Thanks,

Rafal

1 Accepted Solution

Accepted Solutions

Craig Hyps
Level 10
Level 10

Typically the Cert Auth Profile specifies the certificate field that contains the user id in AD.  Often this the Subject CN.  This value is then used to fetch group memberships like we would for any other type of Authorization.  Optionally you can assign values to specific cert fields like OU to have additional policy conditions such as IF OU=DivisionX, THEN ...

Specific to LDAP queries, the LDAP server definition defines the attribute in LDAP used to perform group membership lookups.

/Craig

View solution in original post

6 Replies 6

Craig Hyps
Level 10
Level 10

Typically the Cert Auth Profile specifies the certificate field that contains the user id in AD.  Often this the Subject CN.  This value is then used to fetch group memberships like we would for any other type of Authorization.  Optionally you can assign values to specific cert fields like OU to have additional policy conditions such as IF OU=DivisionX, THEN ...

Specific to LDAP queries, the LDAP server definition defines the attribute in LDAP used to perform group membership lookups.

/Craig

Hi Craig,

How about the device certificate? what should I put in the subject name and what should I match for in the certificate profile? and finally how will the hostname be "extracted" so that a search in the AD can be done?

Thanks,

Rafal

MAC address can be used.

is it possible to do a search for AD group membership based on MAC address?

yes, for LDAP.  For AD, it depends on how accounts are stored.  You could also set the FQDN or UPN in cert field.

thanks.