We are using EAP-TLS as part of our AuthZ Rule set and I'm curious if there is a best practice method in dealing with a user certificate. I have a mixture of PCs and MACs. With my PCs, we are also using NAM, so EAP Chaining is available. EAP Chaning does not appear to be an option for the MACs.
We started down the path of having a Microsoft track and a non-Microsoft track for AuthZ, but we're also trying to eliminate two sets of rules where possible.
Suppose My domain is fubar.com
I have some rules set up that are set up to check the EAP method and the Certificate contents a la:
NetworkAccess:EapAuthentication EQUALS EAP-TLS AND
CERTIFICATE:Subect Alternative Name CONTAINS fubar.com
I have other rules that are set up that test for the condition:
CERTIFICATE:Subject MATCHES .*(FUBAR).*
Is one way better? Is there a BEST way of examining User Certificate?