Manualshelf

Deployment Guide

ManualsBrandsDell ManualsAccess PlatformsW-ClearPass Virtual Appliances
919293949596979899100
98 | Onboard + WorkSpace Dell Networking W-ClearPass Guest 6.3 | User Guide
Field Description
Authority Info Access
Specify one of the following options to control automatic certificate revocation checks:
l Do not include OCSP responder URL The Authority Info Access extension is not
included in the client certificate. Certificate revocation checking must be configured
manually on the authentication server. This is the default option.
l Include OCSP responder URL The Authority Info Access extension is added to
the client certificates, with the OCSP responder URL set to a predetermined value.
This value is displayed as the “OCSP URL”.
l Specify an OCSP responder URL The Authority Info Access extension is added to
the client certificates, with the OCSP responder URL set to a value defined by the
administrator. This value may be specified in the “OCSP URL” field.
Validity Period
Specifies the maximum length of time for which a client certificate issued during device
provisioning will remain valid.
Clock Skew Allowance
Adds a small amount of time to the start and end of the client certificates validity
period. This permits a newly issued certificate to be recognized as valid in a network
where not all devices are perfectly synchronized.
For example, if the current time is 12:00, and the clock skew allowance is set to the
default value of 15 minutes, then the client certificate will be issued with a “not valid
before time of 11:45. In this case, if the authentication server that receives the client
certificate has a time of 11:58, it will still recognize the certificate as valid. If the clock
skew allowance was set to 0 minutes, then the authentication server would not
recognize the certificate as valid until its clock has reached 12:00.
The default of 15 minutes is reasonable. If you expect that all devices on the network
will be synchronized then the value may be reduced. A setting of 0 minutes is not
recommended as this does not permit any variance in clocks between devices.
When issuing a certificate, the certificate’s validity period is determined as follows:
l The “not valid before time is set to the current time, less the clock skew allowance.
l The “not valid after” time is first calculated as the earliest of the following:
l The current time, plus the maximum validity period.
l The expiration time of the user account for whom the device certificate is being
issued.
l The “not valid after” time is then increased by the clock skew allowance.
Subject Alternative Name
To include additional fields in the TLS client certificate issued for a device, mark the
Include device information in TLS client certificates check box. These fields are stored
in the subject alternative name (subjectAltName) of the certificate. Refer to Table 21 for
a list of the fields that are stored in the certificate when this option is enabled.
Storing additional device information in the client certificate allows for additional
authorization checks to be performed during device authentication.
Table 20:
Certificate Authority Settings, Certificate Issuing Area