Security

 View Only
  • 1.  Clearpass [Time Source] attribute in LDAP Authentication filter

    Posted Oct 03, 2024 11:15 AM

    We have multiple DC's and our Clearpass LDAP authentication creates multiple account lockout issues. using badpwdcount does not work for us because of multiple DC's.

    Our current problem is our customers forgets their WIFI saved passwords and the device keeps trying to authenticate locking out the accounts before user gets a chance to find and remove them.

    I have come up with an idea to let clearpass slip through the authentication, if there is a bad login attempt in last 5 mins.

    1. Create a Authentication Sources -> Time Source attribute named now_minus_5mins with value NOW() minus 5 minutes
    2. In the LDAP authentication filter use the time source
        1. (&(objectClass=user)(sAMAccountName=%{Authentication:Username})(badpasswordtime<%{Authentication:[Time Source]:now_minus_5mins}))

    Is this possible at all? 

    Forgive me if i am mentioning something stupid, i am not a clearpass expert.

    Thanks in advance.



    ------------------------------
    Regards
    Dhaya
    ------------------------------


  • 2.  RE: Clearpass [Time Source] attribute in LDAP Authentication filter

    Posted Oct 03, 2024 01:20 PM

    The problem with using anything from the AD side is that you are relying on a synchronization on the AD side that might not happen.  That's the primary reason that badpwdcount doesn't work.

    The better solution is to not have users logging onto the network manually using PEAP. Any devices using PEAP should be managed and have the supplicant configured through said management.  If you want users to have BYOD functionality, give them the ability to login with their user credentials to the guest network or implement something like Onboard.

    As for your ask, can't say I've ever tried that, but I'd be a little surprised if an authorization parameter is available for the authentication filter.

    What version of ClearPass?  ClearPass, at least in later versions, will prompt the user for a new password when a failed attempt is received.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Clearpass [Time Source] attribute in LDAP Authentication filter

    Posted Oct 09, 2024 02:38 AM

    Hi, Thanks for your reply. The version we use  is 6.11.9.

    I am checking with Support on the possibility...



    ------------------------------
    Regards
    Dhaya
    ------------------------------



  • 4.  RE: Clearpass [Time Source] attribute in LDAP Authentication filter

    Posted Oct 09, 2024 06:15 AM
    Edited by GorazdKikelj Oct 09, 2024 06:16 AM

    Hi Dhaya.

    Yes, you can use time stamp there, but you will need a custom time source that will return MS Time value for comparison.. I think that badpasswordtime is not the time of the last wrong password entered (I can be wrong, I didn't check).

    But I'm not sure if it resolve your issue. Best is to deploy certificates.

    Best, Gorazd



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------



  • 5.  RE: Clearpass [Time Source] attribute in LDAP Authentication filter

    Posted 21 days ago

    Hi,

    The support team came back and advised that  Time Source parameter/variable is only used post authentication. 

    So I am back to drawing board.

    Anyone know whether I can do a chained authentication, say check AD bad password time is ok then allow for actual password check otherwise block.?



    ------------------------------
    Regards
    Dhaya
    ------------------------------



  • 6.  RE: Clearpass [Time Source] attribute in LDAP Authentication filter

    Posted 20 days ago

    As I'm aware no. Not in a single session. Maybe you could set custom attribute in endpoint database to store last bad password time and then have mac authentication to check the time without involving AD.

    I never try this nor have a use for it. As previously mentioned the best way is to go with certificates and avoid this issue.

    Best, Gorazd 



    ------------------------------
    Gorazd Kikelj
    MVP Guru 2024
    ------------------------------