Please be advised (was mentioned before that you should move from legacy authentication methods) that you probably should not use AD usernames and passwords for 802.1X or WPA-Enterprise authentications. The security depends really on how strict you can control your clients to prevent them from connecting to a rogue authentication server; or otherwise clients should be considered to leak the user/computer password.
Search for 'Why I should not use EAP-MSCHAPv2' for more details. Moving to EAP-TLS will also resolve your account-lock problem.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Apr 12, 2021 02:13 AM
From: George Sim
Subject: Detecting locked account with ClearPass
ClearPass is not blocking anything. If AD is set to 3 bad attempts, and the device has the bad credentials stored, the account will be disabled and the device will be denied access.
You either need to increase or disable your lockout setting.
------------------------------
George Sim
Original Message:
Sent: Apr 10, 2021 05:35 AM
From: Gorazd Kikelj
Subject: Detecting locked account with ClearPass
During implementation of ClearPass I start receiving calls from helpdesk, that users can't connect any more on the network. Quick look into Access Tracker reviled locked AD accounts. I was wondering how to be nice to users and helpdesk if I could show the message to the user when account is locked. To do this I add new filter to Authentication Source for AD.
Filter name: Account Locked
Query:
(&(sAMAccountName=%{Authentication:Username})
(&(lockoutTime>=1)
(objectClass=user)))
Attribute Name: lockoutTime
Alias Name: Account Locked
Data Type: Integer64
Enabled as: Attribute
In Role Mapping Policy then set the role:
(Authorization: AD Source:Account Locked EXISTS ) | AD User Locked |
And in the Enforcement policy redirect to appropriate message page and limit access to the network.
------------------------------
Gorazd Kikelj
------------------------------