09-15-2014 06:01 AM
I had thought this might be simple, but now I'm not sure.
I have a scenario where there is a captive portal service with mac-caching. The initial web-logins are authenticated against AD, and an endpoint entry gets created (which contains the AD username used in the first place).
As an extension to this, I'm now trying to add something to the mac-auth service, which will go back to AD and check that the user's account (which originally was used on the endpoint) simply "exists" and isn't disabled.
I assumed this might be achieved by way of an authorization configuration or similar, but I can't get it to work, and my efforts would be nonsense if I posted them here.
For a number of complicated reasons, I can't use the service templates. The service has been setup bit-by-bit.
Any suggestions would be great.
09-15-2014 06:20 AM
Don't quite understand this part :
"As an extension to this, I'm now trying to add something to the mac-auth service, which will go back to AD and check that the user's account (which originally was used on the endpoint) simply "exists" and isn't disabled"
You should be able to use the Guest Mac authentication template to make this work.
You will need to adjust the authentication/Authorization source to use AD in the Service "Guest with Mac caching" of course these are the default names but you could change it later, The only change you need to make to the Guest Mac authentication service is the amount of time you want to allow the user before it gets redirected again.
In your Web login you need to select requires username/password and authentication should be set to radius .
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
09-15-2014 06:23 AM
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
09-15-2014 07:42 AM
Thanks for the responses. Like I say, we can't use the templates in this customer case.
I actually worked out the answer shortly after posting. I've basically achieved what we wanted, by adding an enforcement rule that checks into the AD authorization source, for an LDAP attribute of "userAccountControl". This value seems to be returned as 512 if the account is enabled, so we just check that is the case in the mac-auth service rules. If it's not, we reject (results in logon role).
Good point regarding the AD auth source cache timer. We've tuned that a bit.
12-04-2015 07:16 AM
Looking to achieve the same things, you wouldn't by chance remember what you configred in the enforcement or if the 512 value is the same for all microsoft AD?
Comm Solutions Company | www.commsolutions.com