Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances

101

102

103

104

105

106

107

108

109

110

110 | Onboard Dell Networking W-ClearPass Guest 6.5.0 | User Guide

Authority

Info Access

Specify one of the following options to control automatic certificate revocation checks:

l Do not include OCSP responder URL – The Authority Info Access extension is not

included in the client certificate. Certificate revocation checking must be configured

manually on the authentication server. This is the default option.

l Include OCSP responder URL – The Authority Info Access extension is added to the

client certificates, with the OCSP responder URL set to a predetermined value. This value

is displayed as the “OCSP URL”.

l Specify an OCSP responder URL – The Authority Info Access extension is added to the

client certificates, with the OCSP responder URL set to a value defined by the

administrator. This value may be specified in the “OCSP URL” field.

Validity

Period

Specifies the maximum length of time for which a client certificate issued during device

provisioning will remain valid.

Clock Skew

Allowance

Adds a small amount of time to the start and end of the client certificate’s validity period. This

permits a newly issued certificate to be recognized as valid in a network where not all devices

are perfectly synchronized.

For example, if the current time is 12:00, and the clock skew allowance is set to the default

value of 15 minutes, then the client certificate will be issued with a “not valid before” time of

11:45. In this case, if the authentication server that receives the client certificate has a time of

11:58, it will still recognize the certificate as valid. If the clock skew allowance was set to 0

minutes, then the authentication server would not recognize the certificate as valid until its

clock has reached 12:00.

The default of 15 minutes is reasonable. If you expect that all devices on the network will be

synchronized then the value may be reduced. A setting of 0 minutes is not recommended as

this does not permit any variance in clocks between devices.

When issuing a certificate, the certificate’s validity period is determined as follows:

l The “not valid before” time is set to the current time, less the clock skew allowance.

l The “not valid after” time is first calculated as the earliest of the following:

n The current time, plus the maximum validity period.

n The expiration time of the user account for whom the device certificate is being issued.

l The “not valid after” time is then increased by the clock skew allowance.

Subject

Alternative

Name

To include additional fields in the TLS client certificate issued for a device, mark the Include

device information in TLS client certificates check box. These fields are stored in the

subject alternative name (subjectAltName) of the certificate. Refer to Table 21 for a list of the

fields that are stored in the certificate when this option is enabled.

Storing additional device information in the client certificate allows for additional

authorization checks to be performed during device authentication.

Digest

Algorithm

Algorithm used to sign issued certificates.

If you are using a Dell controller to perform EAP-TLS authentication using these client certificates, you must have

ArubaOS 6.1 or later to enable the Subject Alternative Name option and store device information in the subject

alternative name.