Dynamically Extracting the Username from the X.509 Subject Field

Each user can have its own set of authorization credentials based upon a specified distinguished name attribute extracted from the X.509 certificate subject field. The distinguished name attribute can be specified as a long name, short name, or an OID. X.509 Subject Field Distinguished Name Attributes lists a few examples of the supported distinguished name attributes.

X.509 Subject Field Distinguished Name Attributes

Attribute	Long Name	Short Name	OID
Country Name	countryName	C	2.5.4.6
Organization Name	organizationName	O	2.5.4.10
Organizational Unit Name	organizationalUnitName	OU	2.5.4.11
Common Name	commonName	CN	2.5.4.3

The username can be prefixed with a fixed string. For example, if the distinguished name attribute is Extremenetworks and the specified prefix is foo, the extracted username will be fooExtremenetworks.

In some instances it may be desirable to use only a subset of the extracted attribute, rather than the entire attribute verbatim. The match option allows for the dynamic application of a regular expression to the extracted attribute. The matching character output is used as the username. The S- and K-Series support the Extended Regular Expression (ERE) regular expression format.

The username can be suffixed with a fixed string. For example, if the distinguished name attribute is US, and the specified suffix is bar, the extracted username will be USbar.

Use the set pki authorization username attribute command to configure a dynamic extracted username from the X.509 certificate subject field.

In the following example, the final ten digits of the CN portion of the certificate subject field along with the @army.mil portion of the RADIUS account user name will be used create a new RADIUS account user name.

The X.509 certificate subject field contains:

Subject: C=US, O=U.S. Government, OU=DoD, OU=PKI, OU=DISA, CN=doe.jane.d.3100020770

The resulting RADIUS account user name:

3100020770@army.mil

To form the RADIUS account user name using the X.509 certificate CN portion of the subject field, enter the following command where:

commonName = The user name attribute will be based upon the commonName portion of the subject field
[0-9] = Match digits 0 thru 9
{10} = Match ten of those digits
$ = Those digits must be at the end of the input

@army.mil = Append @army.mil to the 10 digits

System(su)->set pki authorization username attribute commonName match [0-9]{10}$ suffix @army.mil

Published May 2016prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback