Herman's response and this blog lead me to explore Endpoint repository. I am populating Endpoint repository using CrowdStrike Falcon extension. All of our endpoints(hosts) have Falcon installed so Endpoint repository is filled with host attributes. This was pretty easy to setup. In Endpoint repository I have following attributes which are interesting.
- hostname (our windows machine cert has CN equal host/<hostname>@example.com)</hostname>
- serial number (our macos machine cert has CN equal to mac-serial-number@example.com)
- Last Login User
I have created a Falcon Authorization source (similar to Herman example and the blogpost reference earlier). The following filter is being used.
select attributes->>'CrowdStrike Last Login User' as "CrowdStrike Last Login User" FROM tips_endpoints WHERE attributes->>'CrowdStrike Serial Number' = UPPER('%{Authentication:Username}');
Basically the intention is to retrieve user-id from the Endpoint repository, which I am correctly able to do now. I will describe later why I am extracting the user-id.
Since the Endpoint repository does not have a Aruba-User-Role or Aruba-User-Vlan which I intend to return in radius-accept, I could manually add these to Endpoint repository and problem is solved. However I would like to avoid adding this info manually if possible. We already have this info present in the form of AD groups in our Active Directory. The purpose of retrieving the user-id earlier is to do a lookup on active directory based on this user-id. This is where I am struggling at the moment. I don't know how to trigger an Active Directory lookup? The clearpass is already joined to domain and we do these looks up successfully for our EAP/PEAP/MSCHAPv2 authentication. For eap-peap our filter looks like following and it works great.
(&(sAMAccountName=%{Authentication:Username})(objectClass=user))
As I explained earlier Username in case of eap-tls is either the serial-number of macbook or hostname of windows device. Obviously with this Username, attributes fetched with the above query would not work. Since I have the user-id retrieved from Falcon, I tried the following query but it did not work.
(&(sAMAccountName=%{Authorization:Falcon:CrowdStrike Last Login User})(objectClass=user))
The above query was set under authentication source where Active Directory is defined. I am not sure what is the correct way of getting this to work. I am assuming it did not work because the Falcon is defined as a different auth source. Is this even possible what I am trying to do.
Thanks for looking into this.
------------------------------
NadeemNet
------------------------------
Original Message:
Sent: Mar 18, 2026 05:37 AM
From: GorazdKikelj
Subject: EAP-TLS to role mapping
Hi Herman.
This is a great example. I usually use Guest Device Repository, but in some cases endpoint db looks like more elegant solution.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2025
Original Message:
Sent: Mar 18, 2026 05:25 AM
From: Herman Robers
Subject: EAP-TLS to role mapping
It's not exactly, but it can be used to store the Certificate CN in the endpoint database. I've created in my lab something similar based on the Certificate Serial number.
Make sure that the Endpoint database entry (MAC for the entry does not need to be the correct one) has additional attributes: Certificate-Serial (or CN in your case), role, and I have vlan as well.
Then I copied the Endpoint DB Auth Source (name: EndpointDB-vlan-role-by-certificate-serial) and query it based on the Certificate-Serial (instead of the original that uses Client MAC):
select attributes->>'role' as "role", attributes->>'vlan' as "vlan" FROM tips_endpoints WHERE attributes->>'Certificate-Serial' = '%{Certificate:Serial-Number}'
In the Enforcement Policy I do something like:
(Tips:Role EQUALS Homelab) AND (Authentication:OuterMethod EQUALS EAP-TLS) AND (Authorization:EndpointDB-vlan-role-by-certificate-serial:vlan EXISTS ) AND (Authorization:EndpointDB-vlan-role-by-certificate-serial:role EXISTS ) PANW-Update, EndpointDB-serial-role-vlan, Return-Full-Username
And the Enforcement profile EndpointBD-serial-role-vlan returns:
1. Radius:Aruba Aruba-User-Role = %{Authorization:EndpointDB-vlan-role-by-certificate-serial:role}2. Radius:Aruba Aruba-User-Vlan = %{Authorization:EndpointDB-vlan-role-by-certificate-serial:vlan}
May work as well in your case and takes away the need of an external SQL database that may become a single point of failure (and additional maintenance).
Just consider this 'as inspiration', it may not work at large scale or under all circumstances; so no guarantees, nor claims that this the best/optimal/most-secure way of doing this.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Mar 17, 2026 09:33 AM
From: MGT-Joe
Subject: EAP-TLS to role mapping
dvmrp,
See this AirHeads Broadcast video by Herman. I think it is exactly what you are looking for: Airheads Broadcast
Original Message:
Sent: Mar 16, 2026 08:11 AM
From: dvmrp
Subject: EAP-TLS to role mapping
Hi All,
We are implementing Wi-Fi authentication on ClearPass using EAP-TLS. We also plan to implement "Roles" based on the CN in the certificate. What is the best way to store CN to role mapping information. Would an external SQL DB is the best choice or some where locally on the ClearPass. We are talking about less than 1000 devices here.
Thanks,
------------------------------
NadeemNet
------------------------------