Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Enforcement policy checking whether an AD account has been disabled

This thread has been viewed 13 times

  • 1.  Enforcement policy checking whether an AD account has been disabled

    Posted Oct 25, 2017 08:34 AM

    I'm trying to push the roll out of eap-tls  based authentication. One  of the requirements I've got is I need to check whether the user using the cert has had their account revoked.

    Now I recon I could do something similar  in a number of ways but

    assuming that the cert CN = their userid, can I check for the status of an AD account as part of an enforcement policy i.e. to see if its revoked ?

     



  • 2.  RE: Enforcement policy checking whether an AD account has been disabled

    Posted Oct 25, 2017 08:52 AM

    not sure what I was thinking with the last sentence. Logic is

    If (ad account disabled)

     Send access-reject

    else

     perform ocsp cert validation  and act upon result

     



  • 3.  RE: Enforcement policy checking whether an AD account has been disabled

    EMPLOYEE


  • 4.  RE: Enforcement policy checking whether an AD account has been disabled

    Posted Sep 10, 2018 08:46 AM

    Hi,

     

    This template is right if attribute equals 66050 

    http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-check-if-an-AD-account-is-disabled-in-ClearPass-with-the/ta-p/185530

    But if the attribute <useraccountControl> is not equal to the value of 66050 and is equal, for example, to 514, which is the same sign that the account is locked. How to check all situations when the account is locked, except for the one specified in the example?

     

    I check attribute call (!(userAccountControl:1.2.840.113556.1.4.803:=2)) but this is not working also.

     



  • 5.  RE: Enforcement policy checking whether an AD account has been disabled

    Posted Sep 10, 2018 09:34 AM

    not sure what the probme is,

    If you're just checking for accountStatus being something else other than 66050 ...

     

    I set up two roles "UoY AD Account Enabled" and UoY AD Acount Disabled" which are created as shown in attached file

    .. and then acted upon in the enforcement policy

     

     

    My have the wrong end of the stick, but isn;' that what you want to do ... just adding extra conditions for whatever value you need?

     

     

     

     



  • 6.  RE: Enforcement policy checking whether an AD account has been disabled

    Posted Sep 10, 2018 10:01 AM

    Hi Alex,

     

    Thanks for you answer.

    I want to check second bit for attribute "userAccountControl" in Hexadecimal value (for disable account is 0x00000002) and compare this is value not equals 2.

    I don't want to access to a enterprise wireless networks if user account is disable.



  • 7.  RE: Enforcement policy checking whether an AD account has been disabled

    Posted Apr 04, 2019 02:20 AM

    Hi Mike!

     

    Did you find the answer how to make a bitwise operation in the Clearpass?



  • 8.  RE: Enforcement policy checking whether an AD account has been disabled

    Posted Apr 08, 2019 04:32 AM
      |   view attached

    Hi Alyona,

     

    Yes, I solved this issue.

    Was be create AD attribute with next filter query

     

    (&(sAMAccountName=%{Authentication:Username})(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

     

    And add in role next condition as int att.