When we use Clearpass server to authenticate(EAP-PEAP) against AD for employees with corporate phones, the problem comes when their 60 day password expiration happens and they change their AD password on their computer but forget to change it on their phones. Due to this, the phones keep authenticating using the old credentials that are saved and results in the account being locked out after 5 failures.
Environment :
This article applies to the WLAN/LAN setups where users are authenticating against Clearpass Server with AD/LDAP as Authentication Source
Network Topology : This article applies to the WLAN/LAN setups where users are authenticating against Clearpass Server with AD/LDAP as Authentication Source
1. Log into Clearpass Policy Manager WebUI and navigate to Configuration » Authentication » Sources » [LDAP/AD Server] » Click on Attributes Tab » Click on Filter name "Authentication".
2. Add the logic into Filter Query
By adding “!(badPwdCount>=4)” into the filter Query, CPPM will not send authentication to AD/LDAP if a user has badPwdCount which is not >=4.
The entire filter query is as below:
(&(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(!(badPwdCount>=4)))
3. Click on the Browse Tab and browse the user info "badPwdCount" to check the count for a specific user as shown below
Before authentication, the default LDAP filter searches the LDAP tree for a user object. If the user object does not exist, it does not submit the authentication and returns "user does not exist".
Adding "(badPwdCount>=4)" to the filter adds a restriction to the filter, that the user object also cannot have had 4 incorrect passwords. The net effect is that any user who has inputted 4 incorrect passwords, will not be returned by the filter. ClearPass will say that the user object does not exist. Since this search occurs before authentication is submitted, no authentications will be sent from ClearPass for users who are on their "last strike", preventing a lockout.
Any other successful authentications to AD outside of ClearPass will reset the badpwdcount counter, and that user will be able to be found in the LDAP search and authenticate through clearpass again.
After making the configuration changes as suggested above, you can test with a client by authenticating the client against cppm and providing wrong password for morethan or equal to 5 times. Access tracker records on CPPM GUI for the initial 4 attempts will show a failed authentication attempt with message as "User Authentication Failure".
After the 4th attempt with wrong password, you can browse the user info by logging into Clearpass Policy Manager WebUI and navigate to Configuration » Authentication » Sources » [LDAP/AD Server] » Click on Attributes Tab » Click on Filter name "Authentication" » Click on the Browse Tab. The "badPwdCount" should show the value as 4.
Any additional authentication requests from this user with wrong password will again fail but with a different error message in Access tracker as "user does not exist". This is due to the filter query now considering the "badPwdCount" and not returning the user as the count is equal to or greaterthan 4.
In order to troubleshoot any user reported issue in the above scenario, please go to Access tracker and verify the alert message for this user authentication event.
You have to then browse the user info to verify the "badPwdCount" by logging into Clearpass Policy Manager WebUI and navigate to Configuration » Authentication » Sources » [LDAP/AD Server] » Click on Attributes Tab » Click on Filter name "Authentication" » Click on the Browse Tab.
If the "badPwdCount" is 4 or greaterthan 4, then you need to make sure you successful authenticate the user to AD outside of ClearPass which will then reset the badPwdCount counter to "0" for this user and that user will be able to be found in the LDAP search and authenticate through clearpass again.