Thanks to visit codestin.com
Credit goes to github.com

Skip to content

feat(enroll): machine- and user-based certs for VPN mTLS, 802.1X/NAC (Cisco ISE), and BYOD/MDM #112

Description

@Bugs5382

Certificates issued by CryptOS should work with internal or external providers for device and user network authentication, and they should support both machine-based and user-based assignment.

The main scenarios are BYOD and MDM device enrollment, where an MDM hands a CryptOS certificate to a device; VPN tunnels authenticated with a certificate; and network access control over 802.1X on both wired and wireless, such as Cisco ISE.

The driving example: a laptop holds a machine certificate, so it can bring up the VPN before anyone logs in. Once the user signs in, authentication switches to a user certificate. The same split applies with Cisco ISE, where the machine certificate grants a baseline level of access over 802.1X and user authentication layers on top.

For CryptOS this means issuing machine certificates whose identity is the machine's DNS name and user certificates whose identity is the user's UPN or email, both with the Client Authentication EKU so RADIUS, NAC, and VPN concentrators accept them. Both scopes come from the same CA. Delivery happens through native autoenrollment or MDM (see #108), and the verifiers have to trust the CryptOS chain.

Not scheduled. The exact certificate profiles, the RADIUS and ISE trust and policy config, MDM integration, and how a machine-versus-user profile is chosen at enrollment are still open.

Metadata

Metadata

Assignees

Labels

enhancementNew feature (feat). Minor version bump.

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions