cancel
Showing results for 
Search instead for 
Did you mean: 

Using TLS Certificate fields for authentication mapping

Using TLS Certificate fields for authentication mapping

StephanH
Valued Contributor III

Hello,

can I use TLS certificate fields like "TLS-Cert-Issuer" or "TLS-Cert-Common-Name" (or other fields mentioned here: https://extremeportal.force.com/ExtrArticleDetail?an=000064090) to do the authentication mapping in the NAC AAA configuration to e. g. switch between local authentication or proxy radius if I use 802.1x?

d4d8ae978da84b7b950785e8ca94cd72_RackMultipart20180608-114138-1wldydo-AuthMapping_inline.jpg

 


If yes, how can I do set? What do I have to enter in the fields (User/MAC/Host)?

Best regards
Stephan

 

Regards Stephan
8 REPLIES 8

AntonS
Contributor II

93cf1bfb5b99431dbfea921bd0599643_RackMultipart20180620-23854-1tjbehy-image_inline.png



I can only show a screenshot in OneView.

You can make a User Group and Change it to RADIUS User Group, then you can rely on TLS Attributes.
We did it with TLS-Client-Cert-Common-Name, but others should also be possible.

Does anyone has a list of which attributes are possible?

StephanH
Valued Contributor III
Hello Anton,

you will see the attributes in the KB article following the link in my first text above.

Best regards
Stephan
Regards Stephan

Zdeněk_Pala
Extreme Employee
Hi Stephan.

the decision to proxy or not can be made based on Location (Switch, Port, SSID, AP, Zone), based on username (pattern or group membership, in case of certificates the name is CN), based on authentication type.

I suggest to terminate EAP-TLS locally and add more CA and more CRL to your configuration. The Access Control Engine can authorize based on more CA.

Regards

Z.
Regards Zdeněk Pala

StephanH
Valued Contributor III
Thank you Pala.
Regards Stephan
GTM-P2G8KFN