Security

During implementation of ClearPass I start receiving calls from helpdesk, that users can't connect any more on the network. Quick look into Access Tracker reviled locked AD accounts. I was wondering how to be nice to users and helpdesk if I could show the message to the user when account is locked. To do this I add new filter to Authentication Source for AD.

Filter name: Account Locked

Query:
   

(&(sAMAccountName=%{Authentication:Username})

    (&(lockoutTime>=1)

        (objectClass=user)))

Attribute Name: lockoutTime
Alias Name: Account Locked
Data Type: Integer64
Enabled as: Attribute

In Role Mapping Policy then set the role:

(Authorization: AD Source:Account Locked  EXISTS   )

AD User Locked

And in the Enforcement policy redirect to appropriate message page and limit access to the network. 



------------------------------
Gorazd Kikelj
------------------------------

You should migrate away from legacy, insecure authentication methods.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Apr 10, 2021 05:35 AM
From: Gorazd Kikelj
Subject: Detecting locked account with ClearPass

During implementation of ClearPass I start receiving calls from helpdesk, that users can't connect any more on the network. Quick look into Access Tracker reviled locked AD accounts. I was wondering how to be nice to users and helpdesk if I could show the message to the user when account is locked. To do this I add new filter to Authentication Source for AD.

Filter name: Account Locked

Query:
   

(&(sAMAccountName=%{Authentication:Username})

    (&(lockoutTime>=1)

        (objectClass=user)))

Attribute Name: lockoutTime
Alias Name: Account Locked
Data Type: Integer64
Enabled as: Attribute

In Role Mapping Policy then set the role:

(Authorization: AD Source:Account Locked  EXISTS   )

AD User Locked

And in the Enforcement policy redirect to appropriate message page and limit access to the network. 



------------------------------
Gorazd Kikelj
------------------------------

We had similar issues with our BYOD network.  Users were logging in with their id and password but when the passwords expired they always forgot to update it on the BYOD device.  The accounts would start locking.  So next we moved to cert based authentication and users had to go through about 20 steps to onboard apple and android devices.  This fixed our issue mostly except the onboard process was a pain so many users would give up half way through.  The first  step in onboarding was to use your current id and password so when they gave up the SSID still had that id and password stored so these users would again get locked accounts when the password expired until they forget the network.   The users using certs who went through the whole onboarding process had no more issues.

I like your captive portal redirect message to the users but for us they would only see that if they were on the BYOD device and not on the corp device which was using the same locked account.  I ended up creating a report in CPPM Insight that ran daily and sent an email of the report to the help desk.  It also filtered on some  column about "AD Locked"  This way they didn't have to call me and ask if I could see if the user had a BYOD device.  funny the user would always tell the help desk they didnt have a BYOD device but always it ended up they did.

------------------------------
Alan Scott
------------------------------

Original Message:
Sent: Apr 10, 2021 05:35 AM
From: Gorazd Kikelj
Subject: Detecting locked account with ClearPass

During implementation of ClearPass I start receiving calls from helpdesk, that users can't connect any more on the network. Quick look into Access Tracker reviled locked AD accounts. I was wondering how to be nice to users and helpdesk if I could show the message to the user when account is locked. To do this I add new filter to Authentication Source for AD.

Filter name: Account Locked

Query:
   

(&(sAMAccountName=%{Authentication:Username})

    (&(lockoutTime>=1)

        (objectClass=user)))

Attribute Name: lockoutTime
Alias Name: Account Locked
Data Type: Integer64
Enabled as: Attribute

In Role Mapping Policy then set the role:

(Authorization: AD Source:Account Locked  EXISTS   )

AD User Locked

And in the Enforcement policy redirect to appropriate message page and limit access to the network. 



------------------------------
Gorazd Kikelj
------------------------------

ClearPass is not blocking anything. If AD is set to 3 bad attempts, and the device has the bad credentials stored, the account will be disabled and the device will be denied access.

You either need to increase or disable your lockout setting.

------------------------------
George Sim
------------------------------

Original Message:
Sent: Apr 10, 2021 05:35 AM
From: Gorazd Kikelj
Subject: Detecting locked account with ClearPass

During implementation of ClearPass I start receiving calls from helpdesk, that users can't connect any more on the network. Quick look into Access Tracker reviled locked AD accounts. I was wondering how to be nice to users and helpdesk if I could show the message to the user when account is locked. To do this I add new filter to Authentication Source for AD.

Filter name: Account Locked

Query:
   

(&(sAMAccountName=%{Authentication:Username})

    (&(lockoutTime>=1)

        (objectClass=user)))

Attribute Name: lockoutTime
Alias Name: Account Locked
Data Type: Integer64
Enabled as: Attribute

In Role Mapping Policy then set the role:

(Authorization: AD Source:Account Locked  EXISTS   )

AD User Locked

And in the Enforcement policy redirect to appropriate message page and limit access to the network. 



------------------------------
Gorazd Kikelj
------------------------------

Please be advised (was mentioned before that you should move from legacy authentication methods) that you probably should not use AD usernames and passwords for 802.1X or WPA-Enterprise authentications. The security depends really on how strict you can control your clients to prevent them from connecting to a rogue authentication server; or otherwise clients should be considered to leak the user/computer password.

Search for 'Why I should not use EAP-MSCHAPv2' for more details. Moving to EAP-TLS will also resolve your account-lock problem.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Apr 12, 2021 02:13 AM
From: George Sim
Subject: Detecting locked account with ClearPass

ClearPass is not blocking anything. If AD is set to 3 bad attempts, and the device has the bad credentials stored, the account will be disabled and the device will be denied access.

You either need to increase or disable your lockout setting.

------------------------------
George Sim

Original Message:
Sent: Apr 10, 2021 05:35 AM
From: Gorazd Kikelj
Subject: Detecting locked account with ClearPass

During implementation of ClearPass I start receiving calls from helpdesk, that users can't connect any more on the network. Quick look into Access Tracker reviled locked AD accounts. I was wondering how to be nice to users and helpdesk if I could show the message to the user when account is locked. To do this I add new filter to Authentication Source for AD.

Filter name: Account Locked

Query:
   

(&(sAMAccountName=%{Authentication:Username})

    (&(lockoutTime>=1)

        (objectClass=user)))

Attribute Name: lockoutTime
Alias Name: Account Locked
Data Type: Integer64
Enabled as: Attribute

In Role Mapping Policy then set the role:

(Authorization: AD Source:Account Locked  EXISTS   )

AD User Locked

And in the Enforcement policy redirect to appropriate message page and limit access to the network. 



------------------------------
Gorazd Kikelj
------------------------------