How to check if an AD account is disabled in ClearPass with the userAccountControl attribute

By Arunkumar posted Jul 14, 2014 09:29 AM


This article talks about adding UserAccountControl attribute of AD/LDAP to ClearPass.



If ClearPass is using AD/LDAP as an authentication source, It will authenticate any user which is present in the AD/LDAP even if the account is disabled if the AD/LDAP if the UserAccountControl attribute is not added.

Below are the steps to add this attribute.

Login to ClearPass and navigate to "Configuration » Authentication » Sources"



Click on the AD or LDAP server which we are using as an authentication source. 


rtaImage (1).png


Click on the Attributes tab.


rtaImage (2).png

We have to add UserAccountControl  under Authentication.
Click on Authentication.


rtaImage (3).png

Click on "Click to add" and add the attribute as shown below.

rtaImage (4).png


Save the configuration.userAccountControl added as an Authentication attribute.


rtaImage (5).png


Verify that AD is returning this attribute. Click on Authentication - > Browse.


rtaImage (6).png


On this Ldap Browser  query for any user on AD and check if AD is returning the userAccountControl attribute.


rtaImage (7).png

This verifies that ClearPass is getting <userAccountControl attribute. When value of userAccountControl  is 66050 then its disabled else the account is enabled.


We can also add new attributes based on our requirements. For more details on the Attributes list we can visit