Security

last person joined: 8 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Detecting locked account with ClearPass

This thread has been viewed 30 times
  • 1.  Detecting locked account with ClearPass

    Posted 27 days ago
    During implementation of ClearPass I start receiving calls from helpdesk, that users can't connect any more on the network. Quick look into Access Tracker reviled locked AD accounts. I was wondering how to be nice to users and helpdesk if I could show the message to the user when account is locked. To do this I add new filter to Authentication Source for AD.

    Filter name: Account Locked

    Query:
       

    (&(sAMAccountName=%{Authentication:Username})

        (&(lockoutTime>=1)

            (objectClass=user)))

    Attribute Name: lockoutTime
    Alias Name: Account Locked
    Data Type: Integer64
    Enabled as: Attribute

    In Role Mapping Policy then set the role:

    (Authorization: AD Source:Account Locked  EXISTS   )  AD User Locked

    And in the Enforcement policy redirect to appropriate message page and limit access to the network. 



    ------------------------------
    Gorazd Kikelj
    ------------------------------


  • 2.  RE: Detecting locked account with ClearPass

    Posted 24 days ago
    You should migrate away from legacy, insecure authentication methods.

    ------------------------------
    Tim C
    ------------------------------



  • 3.  RE: Detecting locked account with ClearPass

    Posted 24 days ago
    We had similar issues with our BYOD network.  Users were logging in with their id and password but when the passwords expired they always forgot to update it on the BYOD device.  The accounts would start locking.  So next we moved to cert based authentication and users had to go through about 20 steps to onboard apple and android devices.  This fixed our issue mostly except the onboard process was a pain so many users would give up half way through.  The first  step in onboarding was to use your current id and password so when they gave up the SSID still had that id and password stored so these users would again get locked accounts when the password expired until they forget the network.   The users using certs who went through the whole onboarding process had no more issues.

    I like your captive portal redirect message to the users but for us they would only see that if they were on the BYOD device and not on the corp device which was using the same locked account.  I ended up creating a report in CPPM Insight that ran daily and sent an email of the report to the help desk.  It also filtered on some  column about "AD Locked"  This way they didn't have to call me and ask if I could see if the user had a BYOD device.  funny the user would always tell the help desk they didnt have a BYOD device but always it ended up they did.

    ------------------------------
    Alan Scott
    ------------------------------



  • 4.  RE: Detecting locked account with ClearPass

    Posted 23 days ago
    ClearPass is not blocking anything. If AD is set to 3 bad attempts, and the device has the bad credentials stored, the account will be disabled and the device will be denied access.

    You either need to increase or disable your lockout setting.

    ------------------------------
    George Sim
    ------------------------------



  • 5.  RE: Detecting locked account with ClearPass

    Posted 23 days ago
    Please be advised (was mentioned before that you should move from legacy authentication methods) that you probably should not use AD usernames and passwords for 802.1X or WPA-Enterprise authentications. The security depends really on how strict you can control your clients to prevent them from connecting to a rogue authentication server; or otherwise clients should be considered to leak the user/computer password.

    Search for 'Why I should not use EAP-MSCHAPv2' for more details. Moving to EAP-TLS will also resolve your account-lock problem.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------