AAA, NAC, Guest Access & BYOD

How to check if an AD account is disabled in ClearPass with the userAccountControl attribute

Aruba Employee

This article talks about adding UserAccountControl attribute of AD/LDAP to ClearPass.

 

 

If ClearPass is using AD/LDAP as an authentication source, It will authenticate any user which is present in the AD/LDAP even if the account is disabled if the AD/LDAP if the UserAccountControl attribute is not added.

Below are the steps to add this attribute.

Login to ClearPass and navigate to "Configuration » Authentication » Sources"

 

rtaImage.png

Click on the AD or LDAP server which we are using as an authentication source. 

 

rtaImage (1).png

 

Click on the Attributes tab.

 

rtaImage (2).png

We have to add UserAccountControl  under Authentication.
Click on Authentication.

 

rtaImage (3).png

Click on "Click to add" and add the attribute as shown below.

rtaImage (4).png

 

Save the configuration.userAccountControl added as an Authentication attribute.

 

rtaImage (5).png

 

Verify that AD is returning this attribute. Click on Authentication - > Browse.

 

rtaImage (6).png

 

On this Ldap Browser  query for any user on AD and check if AD is returning the userAccountControl attribute.

 

rtaImage (7).png

This verifies that ClearPass is getting <userAccountControl attribute. When value of userAccountControl  is 66050 then its disabled else the account is enabled.

 

We can also add new attributes based on our requirements. For more details on the Attributes list we can visit http://msdn.microsoft.com/en-us/library/windows/desktop/ms675090(v=vs.85).aspx

Version history
Revision #:
3 of 3
Last update:
‎10-25-2017 06:04 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: