Security

 View Only
  • 1.  ClearPass AccountStatus Attribute

    Posted Sep 18, 2024 11:52 AM
    Edited by dburns865 Sep 18, 2024 01:42 PM

    I am working through a lab setting up 802.1x on Clearpass and it included a step to add the AccountStatus attribute to the Active Directory authentication source. The status codes (512, 66048) are used in the authentication service to ensure the AD account is enabled. What scenario would this actually be needed? I have TACACS and 802.1x setup on my own network and if I try to authenticate while my account is disabled it fails and ClearPass never even obtains my account attributes. Are there times where a user could successfully authenticate with a disabled account? 


    EDIT: Can't see how to delete a post, so adding an edit. I think I figured it out. EAP-TLS will authenticate with the cert, so no Active Directory authentication. Since AD isn't involved, ClearPass needs to strip the username from the cert and check that the account is active. 



  • 2.  RE: ClearPass AccountStatus Attribute

    Posted Sep 19, 2024 12:51 AM

    That's the reason, yes, when AuthN is handled separately from AuthZ.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: ClearPass AccountStatus Attribute
    Best Answer

    Posted Sep 19, 2024 03:14 AM

    Exactly. And as certs are preferred method of authentication this is very useful. You maybe not keen to revoke cert if user is just temporary out and you can just disable account. There is also a case if account get locked and you can redirect user to unlock page.

    Best, Gorazd 



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------