Security

Hi all,

 

I've got a situation i'm trying to work around which i'm hoping someone has done before.

 

I have a use case where we want to just present a username via radius (from an F5 APM) and then have it query AD for a group membership, regardless of auth pass / fail. 

 

We basically want to verify that the account exists without caring if the password is correct or not and then send back a radius response with the attributes contained within. 

 

I'm thinking if a do a generic radius rule tied to AD but don't put anythign in the authentication tab this should work (provided the enforcement profile send the AVP for a failed auth case).

 

has anybody tried something like this before?

 

I'd be interested to know before i start building up the lab!

 

Scott

I don't know if this helps, but I have added rules successfully before that check AD accounts exist and are in a certain group. After "joining" CPPM to the domain, you can do it via LDAP stuff. Granted, I was doing the auth/password too, but that shouldn't matter in theory.

 

Anyway, the two key authorization parts I think you need in your authorization "source" configuration are...

 

"userAccountControl", which usually returns 512 if the account exists and is active. Here's a link to the values it uses.

 

http://support.microsoft.com/kb/305144

 

Then you can use "memberOf" to check it "contains" the group you're looking for.

 

I suspect it's then just a case of setting the enforcement policy to give the outcome you want (regardless of auth fail/pass). Can you describe what it is you want CPPM to do, in the event of certain values being found, regardless of the password?

 

bascially health checking the authentication service from the Radius client right through to AD. 

 

We are currently doing a regular test auth using a single AD account but would like to do a secondary check. 

 

For example if the account password is locked out we dont' want to just call the service down, we'd like to do some form of secondary check such as querying a group membership (or any attribute for that matter) to verify that the AD source is working, even if the account is locked out etc.

 

Perhaps what i could do is have a Allow Access policy in both pass /fail cases but return a different enforcement profile attribute in the pass / fail case that verifies the AD lookup was successful. 

 

 

Keep in mind that an 802.1X request cannot pass if authentication fails, even if you send back a different action/enforcement.

this case is just using RADIUS  PAP so was thinking of passing Access-Accept with different "add on " attributes.

 

after looking at how the other device does the query i dont think i'm going to be able to make this work as the F5 only takes a "yes/no" response into consideration.