As I'm aware no. Not in a single session. Maybe you could set custom attribute in endpoint database to store last bad password time and then have mac authentication to check the time without involving AD.
I never try this nor have a use for it. As previously mentioned the best way is to go with certificates and avoid this issue.
Original Message:
Sent: Oct 22, 2024 07:31 PM
From: DhayaK
Subject: Clearpass [Time Source] attribute in LDAP Authentication filter
Hi,
The support team came back and advised that Time Source parameter/variable is only used post authentication.
So I am back to drawing board.
Anyone know whether I can do a chained authentication, say check AD bad password time is ok then allow for actual password check otherwise block.?
------------------------------
Regards
Dhaya
Original Message:
Sent: Oct 09, 2024 06:15 AM
From: GorazdKikelj
Subject: Clearpass [Time Source] attribute in LDAP Authentication filter
Hi Dhaya.
Yes, you can use time stamp there, but you will need a custom time source that will return MS Time value for comparison.. I think that badpasswordtime is not the time of the last wrong password entered (I can be wrong, I didn't check).
But I'm not sure if it resolve your issue. Best is to deploy certificates.
Best, Gorazd
------------------------------
Gorazd Kikelj
MVP Guru 2024
Original Message:
Sent: Oct 09, 2024 02:37 AM
From: DhayaK
Subject: Clearpass [Time Source] attribute in LDAP Authentication filter
Hi, Thanks for your reply. The version we use is 6.11.9.
I am checking with Support on the possibility...
------------------------------
Regards
Dhaya
Original Message:
Sent: Oct 03, 2024 01:19 PM
From: chulcher
Subject: Clearpass [Time Source] attribute in LDAP Authentication filter
The problem with using anything from the AD side is that you are relying on a synchronization on the AD side that might not happen. That's the primary reason that badpwdcount doesn't work.
The better solution is to not have users logging onto the network manually using PEAP. Any devices using PEAP should be managed and have the supplicant configured through said management. If you want users to have BYOD functionality, give them the ability to login with their user credentials to the guest network or implement something like Onboard.
As for your ask, can't say I've ever tried that, but I'd be a little surprised if an authorization parameter is available for the authentication filter.
What version of ClearPass? ClearPass, at least in later versions, will prompt the user for a new password when a failed attempt is received.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Oct 02, 2024 11:43 PM
From: DhayaK
Subject: Clearpass [Time Source] attribute in LDAP Authentication filter
We have multiple DC's and our Clearpass LDAP authentication creates multiple account lockout issues. using badpwdcount does not work for us because of multiple DC's.
Our current problem is our customers forgets their WIFI saved passwords and the device keeps trying to authenticate locking out the accounts before user gets a chance to find and remove them.
I have come up with an idea to let clearpass slip through the authentication, if there is a bad login attempt in last 5 mins.
- Create a Authentication Sources -> Time Source attribute named now_minus_5mins with value NOW() minus 5 minutes
- In the LDAP authentication filter use the time source
- (&(objectClass=user)(sAMAccountName=%{Authentication:Username})(badpasswordtime<%{Authentication:[Time Source]:now_minus_5mins}))
Is this possible at all?
Forgive me if i am mentioning something stupid, i am not a clearpass expert.
Thanks in advance.
------------------------------
Regards
Dhaya
------------------------------