Security

Reply
Valued Contributor I

Enforcement policy checking whether an AD account has been disabled

I'm trying to push the roll out of eap-tls  based authentication. One  of the requirements I've got is I need to check whether the user using the cert has had their account revoked.

Now I recon I could do something similar  in a number of ways but

assuming that the cert CN = their userid, can I check for the status of an AD account as part of an enforcement policy i.e. to see if its revoked ?

 

Valued Contributor I

Re: Enforcement policy checking whether an AD account has been disabled

not sure what I was thinking with the last sentence. Logic is

If (ad account disabled)

 Send access-reject

else

 perform ocsp cert validation  and act upon result

 

Guru Elite

Re: Enforcement policy checking whether an AD account has been disabled

New Contributor

Re: Enforcement policy checking whether an AD account has been disabled

Hi,

 

This template is right if attribute equals 66050 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-check-if-an-AD-account-is-disabled-in-ClearPass-with-the/ta-p/185530

But if the attribute <useraccountControl> is not equal to the value of 66050 and is equal, for example, to 514, which is the same sign that the account is locked. How to check all situations when the account is locked, except for the one specified in the example?

 

I check attribute call (!(userAccountControl:1.2.840.113556.1.4.803:=2)) but this is not working also.

 

Valued Contributor I

Re: Enforcement policy checking whether an AD account has been disabled

not sure what the probme is,

If you're just checking for accountStatus being something else other than 66050 ...

 

I set up two roles "UoY AD Account Enabled" and UoY AD Acount Disabled" which are created as shown in attached file

.. and then acted upon in the enforcement policy

 

 

My have the wrong end of the stick, but isn;' that what you want to do ... just adding extra conditions for whatever value you need?

 

 

 

 

New Contributor

Re: Enforcement policy checking whether an AD account has been disabled

Hi Alex,

 

Thanks for you answer.

I want to check second bit for attribute "userAccountControl" in Hexadecimal value (for disable account is 0x00000002) and compare this is value not equals 2.

I don't want to access to a enterprise wireless networks if user account is disable.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: