cancel
Showing results for 
Search instead for 
Did you mean: 

NAC EAP-TLS + Microsoft PKI - custom subject/common name not possible

NAC EAP-TLS + Microsoft PKI - custom subject/common name not possible

AntonS
Contributor II
We have a working setup with Netsight/NAC + Microsoft Windows PKI 2012 R2
Our Clients get Certificates with Auto Enrollment, which they use to authenticate in the network.
Additionally we use LDAP User Groups to put the Clients into different Networks -> UserVLAN, AdminVLAN, InternetVLAN etc.
This works great, but we noticed a problem.
When using a non Windows Device it is possible to set a different Username/Identity that is sent to the Authentication Server.
This can be used to get into a different network than supposed to, if the Username/Identy is valid (eg. Admin)

613175a82d9e46b2bd79a46f60e511af_RackMultipart20180720-22629-vtp2y2-CaptureIphone1_inline.png



613175a82d9e46b2bd79a46f60e511af_RackMultipart20180720-121465-6c02gr-CaptureUSER1_inline.jpg



In another area we used RADIUS User Group to seperate those client families, but this is not possible here because in the certificate from User and Admin there is nothing different than the hostname.

We thought of writing something in the Subject/common name of the Certificate/Template in the PKI. But we don't know how this can be achieved since there is no possibility to write CUSTOM Information.

613175a82d9e46b2bd79a46f60e511af_RackMultipart20180720-123696-i3blh5-CaptureTemplate1_inline.jpg



Any MCSE knows how to deal with that? 😉

11 REPLIES 11

AntonS
Contributor II
sounds good, how is that done?

Brian_Holmes
New Contributor III
why not check the CN on the certificate to see if it matches the username on the request?
GTM-P2G8KFN