Security

Hello Team,

We are testing the authentication + authorization using EAP-TLS and entraID as authorization source, as authentication cannot be done with entra currently we are unchecking the auth-required from the EAP-TLS method. The flow is working as expected, however, as we are using certificate validation only for machine authentication, we would like to limit the trust to specific certification authorities only, that is, only certificates issued by the internal CA used by the enterprise will be successfully trusted by ClearPass. I read somewhere that in the trust list , only the internal root CA should include EAP in the certificate usage. Will that be enough ? and if not , is there another way to work around this ? e.g. using a condition in enforcement policy .... 

Thank you for the support ! 

-------------------------------------------

Yes, that should work. Certificates issued by any CA that is not enabled with EAP in the Trust List won't be accepted.

But if you really want to be sure, you can check the Certificate:Issuer-CN and/or Certificate:Issuer-DN in your role-mapping or enforcement policy to further limit/verify which certificates are accepted.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Hi Herman

Ok clear thanks i'll test this one as well ! 

Moreover, i was looking into performing authorization along machine-certificate verification. We were planning to populate the userPrincipalName in the machine certificate as well as a workaround to fetch user information from entraID directory but due to some limitations its not doable. Currently the machine-certs are generated with the computer name, similar to the objects in the active directory, and the on-prem AD is synced with entraID. Is there any use case to leverage on the computer name and retrieve device information via entraID ?

with user authorization it is working fine as the userPrincipalName is already there in the cn of the cert, i just changed the default filter in the entraID source as per the below 

substituted mail by userPrincipalName , and we are able to pull the account-enable, group-membership from entraID. Is there a specific filter than can be used for computer name ?

Thanks for the usual support !

-------------------------------------------

Original Message:
Sent: Feb 23, 2026 06:45 AM
From: Herman Robers
Subject: EAP-TLS authentication with EntraID

Yes, that should work. Certificates issued by any CA that is not enabled with EAP in the Trust List won't be accepted.

But if you really want to be sure, you can check the Certificate:Issuer-CN and/or Certificate:Issuer-DN in your role-mapping or enforcement policy to further limit/verify which certificates are accepted.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

This query retrieves information from users:users fields; devices are in a different table. If you have an attribute available that can be used to query the devices table, it may work. The Query is GraphAPI; if you have someone in the company understanding how that works, you may be able to modify the query. But if only Intune device parameters are in the certificate, it may not be possible to run that query.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Feb 23, 2026 07:06 AM
From: mshamseddine@connectit.ae
Subject: EAP-TLS authentication with EntraID

Hi Herman

Ok clear thanks i'll test this one as well ! 

Moreover, i was looking into performing authorization along machine-certificate verification. We were planning to populate the userPrincipalName in the machine certificate as well as a workaround to fetch user information from entraID directory but due to some limitations its not doable. Currently the machine-certs are generated with the computer name, similar to the objects in the active directory, and the on-prem AD is synced with entraID. Is there any use case to leverage on the computer name and retrieve device information via entraID ?

with user authorization it is working fine as the userPrincipalName is already there in the cn of the cert, i just changed the default filter in the entraID source as per the below 

substituted mail by userPrincipalName , and we are able to pull the account-enable, group-membership from entraID. Is there a specific filter than can be used for computer name ?

Thanks for the usual support !