Connectivity Guide
l Specify an OCSP responder URL – The Authority Info Access extension is added to the client certificates,
with the OCSP responder URL set to a value defined by the administrator. This value may be specified in the
“OCSP URL” field.
6. Use the drop-down list in the Validity Period field to specify the maximum length of time for which a client
certificate issued during device provisioning will remain valid.
7. The Clock Skew Allowance text field adds a small amount of time to the start and end of the client certificate’s
validity period. This permits a newly issued certificate to be recognized as valid in a network where not all devices
are perfectly synchronized.
For example, if the current time is 12:00, and the clock skew allowance is set to the default value of 15 minutes,
then the client certificate will be issued with a “not valid before” time of 11:45. In this case, if the authentication
server that receives the client certificate has a time of 11:58, it will still recognize the certificate as valid. If the
clock skew allowance was set to 0 minutes, then the authentication server would not recognize the certificate as
valid until its clock has reached 12:00.
The default of 15 minutes is reasonable. If you expect that all devices on the network will be synchronized then the
value may be reduced. A setting of 0 minutes is not recommended as this does not permit any variance in clocks
between devices.
When issuing a certificate, the certificate’s validity period is determined as follows:
l The “not valid before” time is set to the current time, less the clock skew allowance.
l The “not valid after” time is first calculated as the earliest of the following:
l The current time, plus the maximum validity period.
l The expiration time of the user account for whom the device certificate is being issued.
l The “not valid after” time is then increased by the clock skew allowance.
8. In the Subject Alternative Name field, to include additional fields in the TLS client certificate issued for a device,
mark the Include device information in TLS client certificates check box. These fields are stored in the subject
alternative name (subjectAltName) of the certificate. Refer to Table 16 for a list of the fields that are stored in the
certificate when this option is enabled.
Storing additional device information in the client certificate allows for additional authorization checks to be
performed during device authentication.
If you are using an Aruba controller to perform EAP-TLS authentication using these client certificates, you must have
Aruba OS 6.1 or later to enable this option.
Name Description OID
Device ICCID
Integrated Circuit Card Identifier (ICCID) number from the
Subscriber Identity Module (SIM) card present in the device. This
is only available for devices with GSM (cellular network)
capability, where a SIM card has been installed.
mdpsDeviceIccid (.4)
Device IMEI
International Mobile Equipment Identity (IMEI) number allocated
to this device. This is only available for devices with GSM
(cellular network) capability.
mdpsDeviceImei (.3)
Device Serial Serial number of the device. mdpsDeviceSerial (.9)
Device Type Type of device, such as “iOS”, “Android”, etc. mdpsDeviceType (.1)
Device UDID
Unique device identifier (UDID) for this device. This is typically a
mdpsDeviceUdid (.2)
Table 16:
Device Information Stored in TLS Client Certificates
Dell Networking W-ClearPass Guest 6.2 | User Guide Onboard + WorkSpace | 87