MAG6611 running 7.4R9.3
I have a realm configured to use a certificate auth server for authentication. I want to make sure that this realm will only accept user certs from one particular organization.
When I do a policy trace on a user logging into this realm, here is the value I want to try and match:
info - [xxx.xxx.xxx.xxx] - Username(Realm) - 2014/05/16 12:58:47 - MAG_hostname - Variable certIssuerDn.OU = "OCIO CA"
So I go into Realm -> Authentication Policy -> Certificate. The bottom radio button (Only allow users with a client-side certificate) is already selected. Below that is the section where you can specify restrictions, i.e. values to match within the cert. For each item you must specify "Certificate field" and "Expected value".
Does anybody know what the specific syntax is for filling in those two boxes? Do you have to put quotes or <> brackets around the values to get them to match? I have tried several variations and I just keep getting "Sign-in rejected. Reason: Wrong Certificate" in the policy trace. If I delete the restriction then the user can connect with no trouble.
What I have right now trying to match the value above is:
Certificate field: certIssuerDn.OU no quotes or brackets
Expected value: "OCIO CA" double-quotes aroudn the whole value
Seems to me like that should work, but it's not matching up.
First the obvious questions. Have you tried without the quotes on the expected value?
Second are there multiple OUs for the certIssuerDN? If yes then there is a note in the help that it may not authenticate correctly if an attribute has multiple values.
Sorry Kita, I don't quite understand your reply. Are you saying that a certificate restriction at the realm level cannot match against the certIssuerDN.* fields in the user's certificate? If so, could this be done at the role level instead? Is there any documentation available as to which certificate contents can be matched at the realm level and at the role level?
I have not been able to find much info in the documentation about what you can do in the certificate restriction screen or what the syntax is. The only doc I've found with extensive details is this one related to custom expressions, but perhaps the capabilities are different there: