Security

Reply
MVP
Posts: 702
Registered: ‎03-25-2009

using ldap errors to inform portal users reason auth faillure

[ Edited ]

So I have a customer where a portal is used to grant access to AD users.

Their AD has a requirement to change passwords every x time. Problem however is that these users might never connect to the corporate network anymore as the portal is facing out to internet.

 

When such a user account has an expired password he cannot log on anymore.
Access tracker however shows a ietf reply-message with (a code for) the exact reason.

 

Is there any way to leverage that ietf reply-message to redirect the user to a different portal where he can set a new password?

Or in the very least translate that code and return an understandeable error instead of just failing?

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: using ldap errors to inform portal users reason auth faillure

In 6.3 for Clearpass, we have introduced an exposed way of checking for account expiration.  Based on this, you can write a policy to redirect based on this value.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 702
Registered: ‎03-25-2009

Re: using ldap errors to inform portal users reason auth faillure

Details please.

I'm using AD users and can see the IETF reply-messages.. but how do I turn that into something usefull?

Since the AD passwd has expired we simply get presented a deny and any role we try pushing gets ignored.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Aruba
Posts: 1,368
Registered: ‎12-12-2011

Re: using ldap errors to inform portal users reason auth faillure

Hmmm...I reread your inquiry.  If the account is ALREADY expired, then it is a reject and I don't believe there is much we can do with that as it's a denial.  However, before the account expires, we can notify the user that it will expire.  Again, this is a new feature, so it's not something I've personally configured (yet)

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 702
Registered: ‎03-25-2009

Re: using ldap errors to inform portal users reason auth faillure

We hjave that running with our the certificates. 

This is a portal that authenticates AD users (not internal guests) so don't think there's an easy way to know when the passwd is going to expire or anything.

 

Is there perhaps a way to return an accept even when the account doesn't authenticate?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP
Posts: 702
Registered: ‎03-25-2009

Re: using ldap errors to inform portal users reason auth faillure

So nobody with any brilliant ideas on how to get this working?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 19,995
Registered: ‎03-29-2007

Re: using ldap errors to inform portal users reason auth faillure

Put a link to the password reset portal on the login page? .......:)

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
MVP
Posts: 702
Registered: ‎03-25-2009

Re: using ldap errors to inform portal users reason auth faillure

[ Edited ]

Fa from ideal as this portalis also available for guests but seeing as nobody comes up with a brilliant proposal I'm guessing it's pretty much the only option left.

 

Has anybody got some more detail;s about this little bit of the 6.3 release notes perhaps:

- Added the ability to verify whether an Active Directory account has expired. (#15552)

 

Seems to be pretty much what I need, or is that only info for accesstracker, not towards the user?

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: