Hi Community,
I have a little issue withe NetSight / NAC 6.3 with EAP-TLS.
If the CN in the client certificate equals the MAC address, then the username field is empty.
Otherwise the the filed is filled:
RADIUS / Certificate Diagnostics (CN=MAC):
User-Name = "00-1A-E8-27-76-8A" Service-Type = Framed-User Called-Station-Id = "20-B3-99-0B-6A-94" Calling-Station-Id = "00-1A-E8-27-76-8A" NAS-Identifier = "Demokit D2" NAS-IP-Address = 192.168.10.10 NAS-Port = 8 NAS-Port-Id = "ge.1.8" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0x7077081978e6055d5931c04285fc9f93 EAP-Message = 0x029100060d00 Message-Authenticator = 0xa8aaa0067409760bc450db9db1a2a7c4 ETS-Outer-Tunnel-Username = "00-1A-E8-27-76-8A" ETS-NTLM-Auth-Allowed = 0 ETS-Cleartext-Password = EAP-Type = EAP-TLS TLS-Cert-Serial := "11ab00d3000700000039" TLS-Cert-Expiration := "200801150226Z" TLS-Cert-Subject := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Cert-Issuer := "/DC=com/DC=demo/DC=unify/CN=Unify Demo Root CA" TLS-Cert-Common-Name := "Demokit Issuing CA" TLS-Client-Cert-Serial := "610f05e900010000001f" TLS-Client-Cert-Expiration := "170806112608Z" TLS-Client-Cert-Subject := "/C=DE/ST=BW/L=Stuttgart/O=Unify Deutschland GmbH & Co. KG/OU=PSS UCC 3.2/CN=00-1A-E8-27-76-8A" TLS-Client-Cert-Issuer := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Client-Cert-Common-Name := "00-1A-E8-27-76-8A" TLS-Client-Cert-X509v3-Subject-Key-Identifier += "5A:60:B4:7E:F7:36:B7:22:F1:39:31:8C:B1:6B:61:BF:BE:85:BE:7D" TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:07:F3:A1:4C:98:90:42:58:9A:FB:B2:67:A5:09:25:E1:76:16:77:06\n" TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Server Authentication, TLS Web Client Authentication"
RADIUS / Certificate Diagnostics (CN!=MAC):
User-Name = "00-11-22-AA-BB-CC" Service-Type = Framed-User Called-Station-Id = "20-B3-99-0B-6A-94" Calling-Station-Id = "00-1A-E8-27-76-8A" NAS-Identifier = "Demokit D2" NAS-IP-Address = 192.168.10.10 NAS-Port = 8 NAS-Port-Id = "ge.1.8" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xda612f8ad24a226d68a952489ecc2114 EAP-Message = 0x022b00060d00 Message-Authenticator = 0xf9175123bf64dac6666667d70b4d4fae ETS-Outer-Tunnel-Username = "00-11-22-AA-BB-CC" ETS-NTLM-Auth-Allowed = 0 ETS-Cleartext-Password = EAP-Type = EAP-TLS TLS-Cert-Serial := "11ab00d3000700000039" TLS-Cert-Expiration := "200801150226Z" TLS-Cert-Subject := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Cert-Issuer := "/DC=com/DC=demo/DC=unify/CN=Unify Demo Root CA" TLS-Cert-Common-Name := "Demokit Issuing CA" TLS-Client-Cert-Serial := "6153011a000100000020" TLS-Client-Cert-Expiration := "170806124023Z" TLS-Client-Cert-Subject := "/C=DE/ST=BW/L=Stuttgart/O=Unify/OU=PSS UCC 3.2/CN=00-11-22-AA-BB-CC" TLS-Client-Cert-Issuer := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Client-Cert-Common-Name := "00-11-22-AA-BB-CC" TLS-Client-Cert-X509v3-Subject-Key-Identifier += "54:7C:C6:4A:3C:D5:F0:C0:F0:D3:14:40:67:33:79:E5:F6:AF:29:0D" TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:07:F3:A1:4C:98:90:42:58:9A:FB:B2:67:A5:09:25:E1:76:16:77:06\n" TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Server Authentication, TLS Web Client Authentication"
Hope anyone has an idea why the username is not extracted correctly.
Best Regards
Michael
I have a little issue withe NetSight / NAC 6.3 with EAP-TLS.
If the CN in the client certificate equals the MAC address, then the username field is empty.
Otherwise the the filed is filled:
RADIUS / Certificate Diagnostics (CN=MAC):
User-Name = "00-1A-E8-27-76-8A" Service-Type = Framed-User Called-Station-Id = "20-B3-99-0B-6A-94" Calling-Station-Id = "00-1A-E8-27-76-8A" NAS-Identifier = "Demokit D2" NAS-IP-Address = 192.168.10.10 NAS-Port = 8 NAS-Port-Id = "ge.1.8" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0x7077081978e6055d5931c04285fc9f93 EAP-Message = 0x029100060d00 Message-Authenticator = 0xa8aaa0067409760bc450db9db1a2a7c4 ETS-Outer-Tunnel-Username = "00-1A-E8-27-76-8A" ETS-NTLM-Auth-Allowed = 0 ETS-Cleartext-Password = EAP-Type = EAP-TLS TLS-Cert-Serial := "11ab00d3000700000039" TLS-Cert-Expiration := "200801150226Z" TLS-Cert-Subject := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Cert-Issuer := "/DC=com/DC=demo/DC=unify/CN=Unify Demo Root CA" TLS-Cert-Common-Name := "Demokit Issuing CA" TLS-Client-Cert-Serial := "610f05e900010000001f" TLS-Client-Cert-Expiration := "170806112608Z" TLS-Client-Cert-Subject := "/C=DE/ST=BW/L=Stuttgart/O=Unify Deutschland GmbH & Co. KG/OU=PSS UCC 3.2/CN=00-1A-E8-27-76-8A" TLS-Client-Cert-Issuer := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Client-Cert-Common-Name := "00-1A-E8-27-76-8A" TLS-Client-Cert-X509v3-Subject-Key-Identifier += "5A:60:B4:7E:F7:36:B7:22:F1:39:31:8C:B1:6B:61:BF:BE:85:BE:7D" TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:07:F3:A1:4C:98:90:42:58:9A:FB:B2:67:A5:09:25:E1:76:16:77:06\n" TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Server Authentication, TLS Web Client Authentication"
RADIUS / Certificate Diagnostics (CN!=MAC):
User-Name = "00-11-22-AA-BB-CC" Service-Type = Framed-User Called-Station-Id = "20-B3-99-0B-6A-94" Calling-Station-Id = "00-1A-E8-27-76-8A" NAS-Identifier = "Demokit D2" NAS-IP-Address = 192.168.10.10 NAS-Port = 8 NAS-Port-Id = "ge.1.8" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xda612f8ad24a226d68a952489ecc2114 EAP-Message = 0x022b00060d00 Message-Authenticator = 0xf9175123bf64dac6666667d70b4d4fae ETS-Outer-Tunnel-Username = "00-11-22-AA-BB-CC" ETS-NTLM-Auth-Allowed = 0 ETS-Cleartext-Password = EAP-Type = EAP-TLS TLS-Cert-Serial := "11ab00d3000700000039" TLS-Cert-Expiration := "200801150226Z" TLS-Cert-Subject := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Cert-Issuer := "/DC=com/DC=demo/DC=unify/CN=Unify Demo Root CA" TLS-Cert-Common-Name := "Demokit Issuing CA" TLS-Client-Cert-Serial := "6153011a000100000020" TLS-Client-Cert-Expiration := "170806124023Z" TLS-Client-Cert-Subject := "/C=DE/ST=BW/L=Stuttgart/O=Unify/OU=PSS UCC 3.2/CN=00-11-22-AA-BB-CC" TLS-Client-Cert-Issuer := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Client-Cert-Common-Name := "00-11-22-AA-BB-CC" TLS-Client-Cert-X509v3-Subject-Key-Identifier += "54:7C:C6:4A:3C:D5:F0:C0:F0:D3:14:40:67:33:79:E5:F6:AF:29:0D" TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:07:F3:A1:4C:98:90:42:58:9A:FB:B2:67:A5:09:25:E1:76:16:77:06\n" TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Server Authentication, TLS Web Client Authentication"
Hope anyone has an idea why the username is not extracted correctly.
Best Regards
Michael
