Security

Reply
MVP
Posts: 561
Registered: ‎11-28-2011

Clearpass - checking AD user account status when mac-caching

Hi All,

 

I had thought this might be simple, but now I'm not sure.

 

I have a scenario where there is a captive portal service with mac-caching. The initial web-logins are authenticated against AD, and an endpoint entry gets created (which contains the AD username used in the first place).

 

As an extension to this, I'm now trying to add something to the mac-auth service, which will go back to AD and check that the user's account (which originally was used on the endpoint) simply "exists" and isn't disabled.

 

I assumed this might be achieved by way of an authorization configuration or similar, but I can't get it to work, and my efforts would be nonsense if I posted them here.

 

For a number of complicated reasons, I can't use the service templates. The service has been setup bit-by-bit.

 

Any suggestions would be great.

Kudos appreciated, but I'm not hunting! (ACMX 104)
MVP
Posts: 4,012
Registered: ‎07-20-2011

Re: Clearpass - checking AD user account status when mac-caching

Don't quite understand this part :

"As an extension to this, I'm now trying to add something to the mac-auth service, which will go back to AD and check that the user's account (which originally was used on the endpoint) simply "exists" and isn't disabled"

 

You should be able to use the Guest Mac authentication template to make this work.

 

You will need to adjust the authentication/Authorization source to use AD in the Service "Guest with Mac caching" of course these are the default names but you could change it later, The only change you need to make to the Guest Mac authentication service is the amount of time you want to allow the user before it gets redirected again.

 

In your Web login you need to select requires username/password and authentication should be set to radius .

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 7,842
Registered: ‎09-08-2010

Re: Clearpass - checking AD user account status when mac-caching

This would probably require a custom SQL query that compares the username in the endpoint database to the account status for that username in Active Directory.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 561
Registered: ‎11-28-2011

Re: Clearpass - checking AD user account status when mac-caching

Thanks for the responses. Like I say, we can't use the templates in this customer case.

 

I actually worked out the answer shortly after posting. I've basically achieved what we wanted, by adding an enforcement rule that checks into the AD authorization source, for an LDAP attribute of "userAccountControl". This value seems to be returned as 512 if the account is enabled, so we just check that is the case in the mac-auth service rules. If it's not, we reject (results in logon role).

 

Good point regarding the AD auth source cache timer. We've tuned that a bit.

 

Thanks.

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Super Contributor I
Posts: 318
Registered: ‎05-09-2013

Re: Clearpass - checking AD user account status when mac-caching

Looking to achieve the same things, you wouldn't by chance remember what you configred in the enforcement or if the 512 value is the same for all microsoft AD?

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: