topic RE: Using TLS Certificate fields for authentication mapping in ExtremeWireless (General)

Using TLS Certificate fields for authentication mapping

StephanH — Sat, 09 Jun 2018 03:08:00 GMT

Hello,

can I use TLS certificate fields like "TLS-Cert-Issuer" or "TLS-Cert-Common-Name" (or other fields mentioned here: https://extremeportal.force.com/ExtrArticleDetail?an=000064090) to do the authentication mapping in the NAC AAA configuration to e. g. switch between local authentication or proxy radius if I use 802.1x?

If yes, how can I do set? What do I have to enter in the fields (User/MAC/Host)?

Best regards
Stephan

RE: Using TLS Certificate fields for authentication mapping

Shmulik — Mon, 11 Jun 2018 11:48:00 GMT

Stephan, are you looking to use a cert field for making a decision if to proxy the request to another server or auth locally? or are you looking to perform the auth by ExtremeControl server but use a cert field to make an authorization decision as what network service to assign?

RE: Using TLS Certificate fields for authentication mapping

StephanH — Mon, 11 Jun 2018 11:57:00 GMT

Hello Shumlik,

I want to make a decision if to proxy or do a locally auth.

Best regards
Stephan

RE: Using TLS Certificate fields for authentication mapping

Zdeněk_Pala — Tue, 12 Jun 2018 10:29:00 GMT

Hi Stephan.

the decision to proxy or not can be made based on Location (Switch, Port, SSID, AP, Zone), based on username (pattern or group membership, in case of certificates the name is CN), based on authentication type.

I suggest to terminate EAP-TLS locally and add more CA and more CRL to your configuration. The Access Control Engine can authorize based on more CA.

Regards

Z.

RE: Using TLS Certificate fields for authentication mapping

StephanH — Tue, 12 Jun 2018 10:29:00 GMT

Thank you Pala,

can I use only parts of the certificate CN, too? Like "host/*" in an user name.

Best regards
Stephan

RE: Using TLS Certificate fields for authentication mapping

Zdeněk_Pala — Tue, 12 Jun 2018 10:29:00 GMT

Yes you can use wildcard to check the username. Username is the CN.

RE: Using TLS Certificate fields for authentication mapping

StephanH — Tue, 12 Jun 2018 10:29:00 GMT

Thank you Pala.

RE: Using TLS Certificate fields for authentication mapping

AntonS — Wed, 20 Jun 2018 20:31:00 GMT

I can only show a screenshot in OneView.

You can make a User Group and Change it to RADIUS User Group, then you can rely on TLS Attributes.
We did it with TLS-Client-Cert-Common-Name, but others should also be possible.

Does anyone has a list of which attributes are possible?

RE: Using TLS Certificate fields for authentication mapping

StephanH — Wed, 20 Jun 2018 20:31:00 GMT

Hello Anton,

you will see the attributes in the KB article following the link in my first text above.

Best regards
Stephan