Security

Reply
Occasional Contributor I

EAP-TLS and checking user is not disabled or locked in AD

Hello,

I'm looking to create a service/policy that uses EAP-TLS to authenticate user and machine certificates but for authorization ensures that the account is still in good standing in Active Directory.  Currently we're pulling the Subject CN and I have the policy authenticating valid certificates, but it's still authorizing the user regardless of the status of their account.  I've done this with other Radius products, just trying to figure out how to do it the CPPM way ;)

 

Thanks,

Greg

Re: EAP-TLS and checking user is not disabled or locked in AD

In the AD auth source you add the userAccountControl and use that attribute either (512 enabled or 514 disable) in your enforcement policies

Sent from Outlook for iPhone
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: EAP-TLS and checking user is not disabled or locked in AD

 

In your EAP-TLS authentication method, you would make sure that "authorization required" is enabled.  My apologies if you have already tried that.

 

http://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/index.htm#CPPM_UserGuide/Auth/AuthMethod_eap-tls.htm?Highlight=eap-tlsauthorization

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor I

Re: EAP-TLS and checking user is not disabled or locked in AD

Thanks Victor,

I think your answer is on the right track.  Can you send me some extra details on how to configure this?

 

Sorry for the lengthy gap, it's been a busy week of projects lately.

 

Thanks,

Greg

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: