Exactly. And as certs are preferred method of authentication this is very useful. You maybe not keen to revoke cert if user is just temporary out and you can just disable account. There is also a case if account get locked and you can redirect user to unlock page.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
------------------------------
Original Message:
Sent: Sep 18, 2024 11:51 AM
From: dburns865
Subject: ClearPass AccountStatus Attribute
I am working through a lab setting up 802.1x on Clearpass and it included a step to add the AccountStatus attribute to the Active Directory authentication source. The status codes (512, 66048) are used in the authentication service to ensure the AD account is enabled. What scenario would this actually be needed? I have TACACS and 802.1x setup on my own network and if I try to authenticate while my account is disabled it fails and ClearPass never even obtains my account attributes. Are there times where a user could successfully authenticate with a disabled account?
EDIT: Can't see how to delete a post, so adding an edit. I think I figured it out. EAP-TLS will authenticate with the cert, so no Active Directory authentication. Since AD isn't involved, ClearPass needs to strip the username from the cert and check that the account is active.