Wireless (General)

Expand all | Collapse all

NAC EAP-TLS + Microsoft PKI - custom subject/common name not possible

  • 1.  NAC EAP-TLS + Microsoft PKI - custom subject/common name not possible

    Posted 07-20-2018 08:41
    We have a working setup with Netsight/NAC + Microsoft Windows PKI 2012 R2
    Our Clients get Certificates with Auto Enrollment, which they use to authenticate in the network.
    Additionally we use LDAP User Groups to put the Clients into different Networks -> UserVLAN, AdminVLAN, InternetVLAN etc.
    This works great, but we noticed a problem.
    When using a non Windows Device it is possible to set a different Username/Identity that is sent to the Authentication Server.
    This can be used to get into a different network than supposed to, if the Username/Identy is valid (eg. Admin)





    In another area we used RADIUS User Group to seperate those client families, but this is not possible here because in the certificate from User and Admin there is nothing different than the hostname.

    We thought of writing something in the Subject/common name of the Certificate/Template in the PKI. But we don't know how this can be achieved since there is no possibility to write CUSTOM Information.



    Any MCSE knows how to deal with that? ;-)



  • 2.  RE: NAC EAP-TLS + Microsoft PKI - custom subject/common name not possible

    Posted 07-20-2018 08:48
    why not check the CN on the certificate to see if it matches the username on the request?


  • 3.  RE: NAC EAP-TLS + Microsoft PKI - custom subject/common name not possible

    Posted 07-20-2018 09:04
    sounds good, how is that done?



  • 4.  RE: NAC EAP-TLS + Microsoft PKI - custom subject/common name not possible

    Posted 07-20-2018 09:15
    I am not familure with Netsight, but on Identity Engines this could be written as part of the Authorization rule I believe.


  • 5.  RE: NAC EAP-TLS + Microsoft PKI - custom subject/common name not possible

    Posted 07-20-2018 10:05
    Hello Anton,

    I think that article should help:

    https://gtacknowledge.extremenetworks.com/articles/Solution/Using-TLS-Certificate-fields-for-authent...

    Best regards
    Stephan


  • 6.  RE: NAC EAP-TLS + Microsoft PKI - custom subject/common name not possible

    Posted 07-20-2018 10:09
    Anton,

    if you need the CN as username read that:

    https://gtacknowledge.extremenetworks.com/articles/How_To/Configure-NAC-To-Use-The-TLS-Client-Certif...

    Best regards
    Stephan


  • 7.  RE: NAC EAP-TLS + Microsoft PKI - custom subject/common name not possible

    Posted 07-20-2018 10:15
    hy stephan,

    i know that article. we also used TLS-fields in RADIUS User Groups for other devices/areas
    but in that case there is no TLS-field we can use, because the certificates are mostly the same.
    except hostname/dns name, but i cannot build a rule from that

    for example hostname1 is ADMIN hostname2 is USER

    i thought to write in the subject of ther certificate hostname1-ADMIN so I can make a RADIUS User Group *-Admin


  • 8.  RE: NAC EAP-TLS + Microsoft PKI - custom subject/common name not possible

    Posted 07-20-2018 10:31
    Hello Anton,

    if you can write differen SANs (subject alt name) in the certificate you can use this as criteria.
    If you can't do this with your certificate template on the Windows CA you can create a new template (enterprise server needed!) with SAN as attribute.

    If this is not possible. You export the serial from Windows CA and import again in the NAC I think.
    But therefore you have to dig deeper into the Windows Certificate command line.



  • 9.  RE: NAC EAP-TLS + Microsoft PKI - custom subject/common name not possible

    Posted 07-20-2018 11:09
    Hello,

    If I am reading this correct, you can use an Appliance Property pushed out to the NAC appliance to ensure that the username matches the Common Name. This came up once in a troubleshoot so we created a knowledge-base article for it:

    https://gtacknowledge.extremenetworks.com/articles/How_To/Configure-NAC-To-Use-The-TLS-Client-Certif...

    Does this help?

    Regards,

    Scott Keene
    NMS/NAC Support, Extreme GTAC


  • 10.  RE: NAC EAP-TLS + Microsoft PKI - custom subject/common name not possible

    Posted 07-24-2018 07:35
    Thank you for your replies
    The radius property seems to do exactly what we want.
    I cannot test it at the moment as our certificates don't have a subject/common name so the username cannot be replaced
    when the clients have the new certificate we gonna test it



  • 11.  RE: NAC EAP-TLS + Microsoft PKI - custom subject/common name not possible

    Posted 07-20-2018 11:09
    Hello Scott,

    I posted that link one hour ago 😉.

    Best regards
    Stephan


  • 12.  RE: NAC EAP-TLS + Microsoft PKI - custom subject/common name not possible

    Posted 07-20-2018 11:09
    Very good, thank you. I only had time to read the initial inquiry and I remember writing the article so I just replied real quick. Take care. -Scott