cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1035
Views
1
Helpful
6
Replies
rkazmierczak
Beginner

Certificate templates for EAP-TLS

Hi,

Are there recommended user and device certificate templates, the ones used in Windows CA for example. I have seen diffrent ways of doing it - diffrent values for SAN field for example.

The reason I ask is that I am wondering how the device group membership in AD is checked with EAP-TLS. I suppose it's one of the LDAP attributes?  I'd like to use device group membership in the authorisation rules.

Thanks,

Rafal

1 ACCEPTED SOLUTION

Accepted Solutions
Craig Hyps
Advocate

Typically the Cert Auth Profile specifies the certificate field that contains the user id in AD.  Often this the Subject CN.  This value is then used to fetch group memberships like we would for any other type of Authorization.  Optionally you can assign values to specific cert fields like OU to have additional policy conditions such as IF OU=DivisionX, THEN ...

Specific to LDAP queries, the LDAP server definition defines the attribute in LDAP used to perform group membership lookups.

/Craig

View solution in original post

6 REPLIES 6
Craig Hyps
Advocate

Typically the Cert Auth Profile specifies the certificate field that contains the user id in AD.  Often this the Subject CN.  This value is then used to fetch group memberships like we would for any other type of Authorization.  Optionally you can assign values to specific cert fields like OU to have additional policy conditions such as IF OU=DivisionX, THEN ...

Specific to LDAP queries, the LDAP server definition defines the attribute in LDAP used to perform group membership lookups.

/Craig

View solution in original post

Hi Craig,

How about the device certificate? what should I put in the subject name and what should I match for in the certificate profile? and finally how will the hostname be "extracted" so that a search in the AD can be done?

Thanks,

Rafal

MAC address can be used.

is it possible to do a search for AD group membership based on MAC address?

yes, for LDAP.  For AD, it depends on how accounts are stored.  You could also set the FQDN or UPN in cert field.

thanks.

Content for Community-Ad