Hi
The CLI in ClearPass doesn't have any commands like this so that's not an option.
A few years ago I worked a lot with municipalities and the public schoold with a lot of iPads. In some schoold they had shared devices, not personal devices and to "simplify" for the local IT staff each school had an AD account for their iPads resulting in hundreds of devices using the same account for EAP-PEAP authentication. Curios kids exploring the authentication settings changed the password for the account leading to massive lockout of all the schools iPads... Not the best solution!
The solution in cases like this was to implement several different configurations to mitigate the lockout problem.
Rise the lockout threashold in AD, I think thay had 3-5 tries before lockout initially
Created a custom attribute in the Endpoints Repository, i.e. Bad Password
Created two enforcement profiles one updating the attribute Bad Password = True and one Bad Password = False
In the Enforcement policy created a new rule triggering on the error message given when you supply wrong password, and the AD attribute badPwdCount > 1 and applying Bad Password = True.
Also created a copy of the 802.1x Service, named something like "802.1x Wireless Bad Password" adding Bad Password = True to the Service conditions and a separate AD source with a modified with the seach condition like: (&(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(!(badPwdCount>=4)))
This will filter any acounts where the badPwdCount is 4 or higher preventing ClearPass from trying to authenticate and by this also prevent a lockout of the account.
In the Access Tracker you will just see "User not found" error message, this can be confusing for first line staff...
If there are more devices trying to authenticate with this account, like the user on the domain joined computer they will reset the counter to 0 when they manually log in.
When the user has updated the password on the mobile phone, the badPwdCount been reset either by a succesful login or a password change from service desk the phone can authenticate with the service "802.1x Wireless Bad Password" as the AD source can find the user account again. If the authentication is successful the enforcement policy applies the Bad Password = False enforcement profile and by this reset the processing to the normal service.
A quite complex setup, but it worked in most situations. A risk is if you have multiple devices with wrong password each of them can perform a single try and lock the account. If you just have users with personal devices this shouldn't be a major issue.
The reason for the separate service "802.1x Wireless Bad Password" is to not affect all devices with correct passwords. If only the normal 802.1x have the badPwdCount filter no authentications will be allowed on any device, my goal was to just stop devices that had send a bad password.
The solution above is just a bandaid on the wound, the better solution is to provide certificates to the devices and use EAP-TLS or EAP-TEAP instead. But that's a different story.
When you have implemented this you can search either in Access Tracker for devices/users hitting the "802.1x Wireless Bad Password" service, or in the Endpoints Repository for evices wiith the attribute Bad Password = True.
Reports can also be generated from Insight and send by email.
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Feb 09, 2024 08:57 AM
From: hg363a
Subject: ClearPass Policy Manager 6.9.13.138003 - SNMP MIBS
Hi Jonas , you are spot on. We are a large organisation with over 4K employees and on a recurring basis IT have to deal with investigating why a end users AD account has become locked.
Are you aware of any CLI commands, I can use, which would trawl through the data base and pull out information related to - Account ID - Date and time of locked out and cause?
Ideally I need to search the entire data base and not just perform for 1 user.
Original Message:
Sent: Feb 09, 2024 07:42 AM
From: jonas.hammarback
Subject: ClearPass Policy Manager 6.9.13.138003 - SNMP MIBS
Hi
I'm not sure if there are such MIBS, at least I haven't seen it.
What is the use case? I guess you have issues with mobile devices lookning AD accounts after password change and the user has forgotten to change the EAP-PEAP configuration of the mobile device?
------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Feb 09, 2024 07:15 AM
From: hg363a
Subject: ClearPass Policy Manager 6.9.13.138003 - SNMP MIBS
Hi we are running
ClearPass Policy Manager 6.9.13.138003
Can someone please tell me which MIBS to use to get information on the following
User Name
When (date and Time) account was locked out
What caused the lockout
And the device (eg mobile)