Security

Reply
Occasional Contributor I
Posts: 5
Registered: ‎04-05-2016

EAP-TLS and checking user is not disabled or locked in AD

[ Edited ]

Hello,

I'm looking to create a service/policy that uses EAP-TLS to authenticate user and machine certificates but for authorization ensures that the account is still in good standing in Active Directory.  Currently we're pulling the Subject CN and I have the policy authenticating valid certificates, but it's still authorizing the user regardless of the status of their account.  I've done this with other Radius products, just trying to figure out how to do it the CPPM way ;)

 

Thanks,

Greg

MVP
Posts: 4,082
Registered: ‎07-20-2011

Re: EAP-TLS and checking user is not disabled or locked in AD

In the AD auth source you add the userAccountControl and use that attribute either (512 enabled or 514 disable) in your enforcement policies

Sent from Outlook for iPhone
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 20,348
Registered: ‎03-29-2007

Re: EAP-TLS and checking user is not disabled or locked in AD

[ Edited ]

 

In your EAP-TLS authentication method, you would make sure that "authorization required" is enabled.  My apologies if you have already tried that.

 

http://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/index.htm#CPPM_UserGuide/Auth/AuthMethod_eap-tls.htm?Highlight=eap-tlsauthorization



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 5
Registered: ‎04-05-2016

Re: EAP-TLS and checking user is not disabled or locked in AD

Thanks Victor,

I think your answer is on the right track.  Can you send me some extra details on how to configure this?

 

Sorry for the lengthy gap, it's been a busy week of projects lately.

 

Thanks,

Greg

Search Airheads
Showing results for 
Search instead for 
Did you mean: