SPEAKER: Authentication policies a little bit. How can we use them in combination with certificates alone?
What we will do is we’ll create another example. So far, we’ve just authenticated the user that used the test certificate we’ve created before. What if we want to differentiate between different types of users just by looking at certificates?
So what I’ve done is, I’ve created another test user certificate that has a different common name, that has different attributes in the subject, that we will use to differentiate between our original test user and the new one. So what I will do is, I will create a label matching on certificate attribute. And I will call this my New User 1 Cert.
Because our test user– where is it? The common name is different on the certificate. It’s User 1 at different domain name.
So we’ll take a look at the certificate attribute, and we’ll match on the common name of this certificate. So in this case, we want to do a full match.
And just let’s say, we want to say, if this certificate is being used, then we want to assign these users or this user into a different VLAN. Let’s just say, other VLAN. So label value VLAN, let’s say, VLAN 1.
So I’m going to create another rule. I’m going to say, special user– or special cert, I should say, select Wireless, select TLS.
But in this case, we are also going to match on the certificate attribute that we’ve just configured. So all three conditions here must match in order for this specific policy to hit. And when it hits, we will assign the user into a different VLAN.
So we’re going to hit Save. Now, we have the two policy rules.
Now, let’s connect the device.
I’ve already configured my iPad with this new certificate.
Now, the iPad is connected to a different VLAN. We see that this is a new user, a different username connected to the same SSID, just assigned to a different VLAN ID.
So if we click on it, we’ll look at the insides.
Let’s see if we have new events in there.
Just coming in.
Now, we are seeing the new set of events coming in.
We’re seeing the new certificate with a different common name in the cert. This is the attribute we’ve been matching on.
And now, we see the new rule hit. And in this case, this specific user or this specific client went and hit the different rule. This is how we can make policies, just by looking at the certificate with nothing else at our hands.
And this is just an example. You could look at part of the subject in the certificate. You could look at the issuers, if you have different CAs issuing certificates for other users. You could look at virtually any certificate attribute that you want to look at, and use that as the differentiation factor in your access policies.
Authentication policies, how can we use them in combination with certificates alone. We will create another example, so far we have authenticated a user using the test certificate we created before. What if we want to differentiate between different types of users just by looking at certificates.