Reset Search
 

 

Article

Using TLS Certificate fields for authentication with NAC

« Go Back

Information

 
TitleUsing TLS Certificate fields for authentication with NAC
Symptoms
New PKI infrastructure deployed, no back-end Windows AD
DOT1X authentication to succeed locally (NAC is end-point for authentication)
Authorisation criteria:
- to make use of User Groups where the attributes will be TLS fields passed via RADIUS requests
- ability to use regex expressions to wildcard the values of such attributes
Environment
Platform: NAC
Version: 6.1.x or earlier
Cause
The ability to use some TLS fileds in "RADIUS User Group" was not documented
The feature to apply regex to attributes values was not available
 
Resolution
Upgrade NAC to latest 6.3.x or higher
 
Additional notes
The following TLS attributes can be used:

TLS-Cert-Serial
TLS-Cert-Expiration
TLS-Cert-Issuer
TLS-Cert-Subject
TLS-Cert-Common-Name
TLS-Cert-Subject-Alt-Name-Email
TLS-Client-Cert-Serial
TLS-Client-Cert-Expiration
TLS-Client-Cert-Issuer
TLS-Client-Cert-Subject
TLS-Client-Cert-Common-Name
TLS-Client-Cert-Filename
TLS-Client-Cert-Subject-Alt-Name-Email
TLS-Client-Cert-X509v3-Extended-Key-Usage
TLS-Client-Cert-X509v3-Subject-Key-Identifier
TLS-Client-Cert-X509v3-Authority-Key-Identifier
TLS-Client-Cert-X509v3-Basic-Constraints

Wildcard matching works with RADIUS User Groups, LDAP User Groups, and LDAP Host Group.

Examples:
* RADIUS User Group:
           TLS-Client-Cert-Subject=CN=user1,OU=Testers,OU=QA,O=Comp 
  
           An entry in the "RADIUS User Group" could be:
             Attribute Name:   TLS-Client-Cert-Subject
             Value:                 *OU=Testers,*

* LDAP User Group
           userPrincipalName: user01@comp.com

           An entry in the Group could be:
             Attribute Name:   userPrincipalName
             Value:                 *@comp.com  

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255