In this video we show how ClearPass can handle removed or disabled accounts. By default, if you remove an account, onboarded users will lose access as well (regardless of their certificate is still valid/expired/revoked). If you disable the account in Active Directory, the user does have access. That is because in AD the account information (authorization) is still there. We can check for the account status (enabled/disabled) with an LDAP query.
A query that only returns enabled accounts is:
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
By combining that with the default query, that returns all matching by username accounts:
(&(sAMAccountName=%{Authentication:Username})(objectClass=user))
you get to the query:
(&(sAMAccountName=%{Authentication:Username})(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=user)))
Quick LDAP reference: from (&(filter1)(filter2)), which mean both filter1 and filter2 must match, we go to (&(filter1)(&(filter2)(filter3))) where filter1 must match and filter2 and filter 3 must match.
The video shows how to to enter this in ClearPass as an additional attribute. You can decide to change the existing query, but that will give a 'user not found' in case of a disabled account. By getting an additional status attribute, you can clearly see that the account is disabled by the ws_Disabled role, and act accordingly.
This video is part of the Aruba ClearPass Workshop series.
- Direct Youtube link -