Extreme Networks

StephanH · ‎06-08-2018

Hello,

can I use TLS certificate fields like "TLS-Cert-Issuer" or "TLS-Cert-Common-Name" (or other fields mentioned here: https://extremeportal.force.com/ExtrArticleDetail?an=000064090) to do the authentication mapping in the NAC AAA configuration to e. g. switch between local authentication or proxy radius if I use 802.1x?

d4d8ae978da84b7b950785e8ca94cd72_RackMultipart20180608-114138-1wldydo-AuthMapping_inline.jpg

If yes, how can I do set? What do I have to enter in the fields (User/MAC/Host)?

Best regards
Stephan

Regards Stephan

AntonS · ‎06-20-2018

93cf1bfb5b99431dbfea921bd0599643_RackMultipart20180620-23854-1tjbehy-image_inline.png

I can only show a screenshot in OneView.

You can make a User Group and Change it to RADIUS User Group, then you can rely on TLS Attributes.
We did it with TLS-Client-Cert-Common-Name, but others should also be possible.

Does anyone has a list of which attributes are possible?

StephanH · ‎06-20-2018

Hello Anton,

you will see the attributes in the KB article following the link in my first text above.

Best regards
Stephan

Regards Stephan

Zdeněk_Pala · ‎06-12-2018

Hi Stephan.

the decision to proxy or not can be made based on Location (Switch, Port, SSID, AP, Zone), based on username (pattern or group membership, in case of certificates the name is CN), based on authentication type.

I suggest to terminate EAP-TLS locally and add more CA and more CRL to your configuration. The Access Control Engine can authorize based on more CA.

Regards

Z.

Regards Zdeněk Pala

StephanH · ‎06-12-2018

Thank you Pala.

Regards Stephan

Extreme Networks

Using TLS Certificate fields for authentication mapping

Using TLS Certificate fields for authentication mapping