This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ExtremeControl EAP Group Mappings, match on signing CA?

ExtremeControl EAP Group Mappings, match on signing CA?

Anonymous
Not applicable

‎03-06-2022 08:13 AM

Hi,

As of 8.5.3 ExtremeControl has the ability to use multiple RADIUS certificates using EAP Group Mappings.

The determination of those certificates is done using EAP Group Mappings via the exchange of RADIUS packets to look at User-Name, NAS-IP-Address (Switch IP) or Calling-station-id (MAC Address), as per below:

65032b70b2634f838279c5918f888c35.png
You can then use a POSIX regular expression to find a match:

99c9a85ba8d74331a596b23608a14e29.png
In my case there are two different certificate authorities, some clients will be signed by one, others will be signed by another. This is part of a migration to a new PKI. The issue here is that the only real distinction between client certificates presented to ExtremeControl will be the signing CA.

So the domain, user and NAS IP's in the RADIUS exchange are all going to be the same.

Is there a way to create a filter based on certificate signing CA, or something else I might be able to hook into to make the distinction?

Many thanks in advance.
0 Kudos
5 REPLIES 5

Anonymous
Not applicable

‎03-07-2022 01:59 PM

Hi Mig,

Great, understood.

Thanks again.

Cheers,

Martin
0 Kudos

Miguel-Angel_RO
Valued Contributor II

‎03-07-2022 11:19 AM

Hi Martin,

The RADIUS will make a choice based on the commonName in the certificate.
If both PKIs are giving the same name, you'll not be able to discriminate on this parameter.
An alternative could be to present a public certificate (the CA Root should be in all the devices) during the migration and switch after that.
If the clients are windows devices, you can manage the authentication parameters via GPO and push both private Root CA.

Concerning the AAA, yes you ca upload both Root CA and the RADIUS will choose the one corresponding to the client certificate.

Regards
Mig
0 Kudos

James_A
Valued Contributor
In response to Miguel-Angel_RO

‎07-31-2023 11:17 PM

It should be possible to match on TLS-Client-Cert-Issuer https://extremeportal.force.com/ExtrArticleDetail?an=000064090

0 Kudos

Anonymous
Not applicable

‎03-07-2022 10:29 AM

Hi Miguel,

Thank you posting a reply so quickly, and thank you for the added detail.

Also thank you for you patience if my understanding is incorrect.

So here is the scenario I am thinking of, which is based on computer authentication using EAPTLS. 

Two clients connect the same switch using a certificate with the same FQDN (due to migration), but have been signed by different PKI's.

Based on that information and the available RADIUS fields of Username (maybe just or PEAP) and NAS-IP address, these would be the same for each client, so what criteria could be used to make the distinction?

If each client has installed only the root and intermediates that belong to its own PKI, it becomes critical that the right NAC / RADIUS certificate is returned / presented to the client - hence back to what criteria to use?

In regards to AAA configuration, which is used to validate the client certificate / authentication, do you know if I can install root and intermediate certs for each of the PKI's in the same place?

That way the client certificate presented to NAC will be able to chain automatically against the right ones?

Many thanks,

Martin
0 Kudos
GTM-P2G8KFN