Security

Reply
KDI
Contributor I
Posts: 25
Registered: ‎02-02-2015

Deny access after user account disabled in Active Directory

Mac Caching is deployed and working. When we disable a user in AD and user has already authenticated via captive portal and then mac cached user continues to have the ability to mac cache (and access resources). The following Ldap query is being used in the WebLoginExists attribute within our current Authorization method. (&(sAMAccountName=%{Endpoint:Username})(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Guru Elite
Posts: 7,841
Registered: ‎09-08-2010

Re: Deny access after user account disabled in Active Directory

If you clear the cache for the endpoint, does it work?


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
KDI
Contributor I
Posts: 25
Registered: ‎02-02-2015

Re: Deny access after user account disabled in Active Directory

We can clear cache at the attribute in the  authentication source.  We did this and the AD account is disabled yet devices still auth in CPPM via mac caching.

Aruba
Posts: 1,520
Registered: ‎06-12-2012

Re: Deny access after user account disabled in Active Directory

Your Mac caching enforcement must also include ad authorization.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
KDI
Contributor I
Posts: 25
Registered: ‎02-02-2015

Re: Deny access after user account disabled in Active Directory

AD auth is in place. Tested LDAP query against enabled and disabled accounts prior to ma caching using WebLoginExists attribute. What may be happening is that once mac caching is complete there is no check back into AD to see if an account has become disabled. Mac caching changes user name from AD to mac hw address in the endpoint db. There is an attribute that references the ad name assoc. with the mac hw account in the endpoint db entry for the device. We have Mac caching enabled for 48 hours.

 

If there was a check in place for a  disabled account after mac caching   mac caching should fail and the user would return to captive portal for authentication.  Upon captive portal authentication attempt user woud not be able to access resources.

MVP
Posts: 4,012
Registered: ‎07-20-2011

Re: Deny access after user account disabled in Active Directory

I ran into that same issue a couple of months ago.

Unfortunately I couldn't find a way that during the MAC AUTH we can check whether the user account was disabled or expired.

This is setup was for contractors with an AD account , we decided that they had to login everyday (only cache the mac for the day) through the captive portal .

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor II
Posts: 226
Registered: ‎03-03-2011

Re: Deny access after user account disabled in Active Directory

I may be misreading the problem here but couldn't the AD authentication source be changed slightly so the value of "userAccountControl:1.2.840.113556.1.4.803:" is written to an attribute which can then be queried as part of MAC authentication.

 

Essentially you would leave your LDAP filter as the standard:

 

(&(sAMAccountName=%{Endpoint:Username})(objectClass=user))

 

and add an attribute called AccountEnabled which matches the field "userAccountControl:1.2.840.113556.1.4.803:". On the MAC authentication service you just write an enforcement profile which checks whether the Authorisation attribute AccountEnabled is not equal to 2.

 

Apologies if this is wrong, maybe you could post screenshots of the service so we could take another look.

 

David
ACDX #98 | ACMP | ACCP
MVP
Posts: 4,012
Registered: ‎07-20-2011

Re: Deny access after user account disabled in Active Directory

Very nice!! Dave
That's exactly what I was missing:

(&(sAMAccountName=%{Endpoint:Username})(objectClass=user))

I added the username to endpoint and included the useraccountcontrol but didnt add the endpoint username check
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
KDI
Contributor I
Posts: 25
Registered: ‎02-02-2015

Re: Deny access after user account disabled in Active Directory

Team-

 

I am going to try to work on this in our near prod environment this afternoon and I will post results.

 

Kirk

KDI
Contributor I
Posts: 25
Registered: ‎02-02-2015

Re: Deny access after user account disabled in Active Directory

Team-

First. Thank you.

We revisited our auth source and added an attribute to an exisiting filter called Webdn  called userAccountControl. We then removed the following from the ldap query (!(userAccountControl:1.2.840.113556.1.4.803:=2))  leaving only this (&(sAMAccountName=%{Endpoint:Username})(objectClass=user). 

 

We then revisited out enforcement policy for mac caching and added a condition

Authorization:AD Domain userAccountControl=514

Enforcement profile: Radius(Deny Access Profile)

We authenticated via Captive portal.  We then Authenticated via MAc Caching.  We disabled in AD.

Test did not work. We were still able to authenticate via Mac Caching.  We cleared cache for the authentiction source and re tested.  Success.  We were denied access and returned to the captive portal.uccess 

Thanks to the team of Airheads  helping me out. One more question?

What is the interval for clearing cache on auth sources?  Is it automated and can it be changed?

Thank you again....

Search Airheads
Showing results for 
Search instead for 
Did you mean: