Using TLS Certificate fields for authentication mapping


Userlevel 5
Hello,

can I use TLS certificate fields like "TLS-Cert-Issuer" or "TLS-Cert-Common-Name" (or other fields mentioned here: https://gtacknowledge.extremenetworks.com/articles/Solution/Using-TLS-Certificate-fields-for-authent...) to do the authentication mapping in the NAC AAA configuration to e. g. switch between local authentication or proxy radius if I use 802.1x?



If yes, how can I do set? What do I have to enter in the fields (User/MAC/Host)?

Best regards
Stephan

8 replies

Userlevel 2
Stephan, are you looking to use a cert field for making a decision if to proxy the request to another server or auth locally? or are you looking to perform the auth by ExtremeControl server but use a cert field to make an authorization decision as what network service to assign?
Userlevel 5
Hello Shumlik,

I want to make a decision if to proxy or do a locally auth.

Best regards
Stephan
Userlevel 6
Hi Stephan.

the decision to proxy or not can be made based on Location (Switch, Port, SSID, AP, Zone), based on username (pattern or group membership, in case of certificates the name is CN), based on authentication type.

I suggest to terminate EAP-TLS locally and add more CA and more CRL to your configuration. The Access Control Engine can authorize based on more CA.

Regards

Z.
Userlevel 5
Pala, Zdenek wrote:

Hi Stephan.

the decision to proxy or not can be made based on Location (Switch, Port, SSID, AP, Zone), based on username (pattern or group membership, in case of certificates the name is CN), based on authentication type.

I suggest to terminate EAP-TLS locally and add more CA and more CRL to your configuration. The Access Control Engine can authorize based on more CA.

Regards

Z.

Thank you Pala,

can I use only parts of the certificate CN, too? Like "host/*" in an user name.

Best regards
Stephan
Userlevel 6
Pala, Zdenek wrote:

Hi Stephan.

the decision to proxy or not can be made based on Location (Switch, Port, SSID, AP, Zone), based on username (pattern or group membership, in case of certificates the name is CN), based on authentication type.

I suggest to terminate EAP-TLS locally and add more CA and more CRL to your configuration. The Access Control Engine can authorize based on more CA.

Regards

Z.

Yes you can use wildcard to check the username. Username is the CN.
Userlevel 5
Pala, Zdenek wrote:

Hi Stephan.

the decision to proxy or not can be made based on Location (Switch, Port, SSID, AP, Zone), based on username (pattern or group membership, in case of certificates the name is CN), based on authentication type.

I suggest to terminate EAP-TLS locally and add more CA and more CRL to your configuration. The Access Control Engine can authorize based on more CA.

Regards

Z.

Thank you Pala.
Userlevel 3



I can only show a screenshot in OneView.

You can make a User Group and Change it to RADIUS User Group, then you can rely on TLS Attributes.
We did it with TLS-Client-Cert-Common-Name, but others should also be possible.

Does anyone has a list of which attributes are possible?
Userlevel 5
Anton Sax wrote:



I can only show a screenshot in OneView.

You can make a User Group and Change it to RADIUS User Group, then you can rely on TLS Attributes.
We did it with TLS-Client-Cert-Common-Name, but others should also be possible.

Does anyone has a list of which attributes are possible?

Hello Anton,

you will see the attributes in the KB article following the link in my first text above.

Best regards
Stephan

Reply