Security

 View Only

CPPM - Machine AD Account Disabled

This thread has been viewed 6 times
  • 1.  CPPM - Machine AD Account Disabled

    Posted Jan 30, 2020 12:00 PM

    I recently discovered that a disabled Windows AD Machine account still passes Machine Auth policy in Clearpass. (Tips:Role EQUALS [Machine Authenticated]). 

     

    Researching, I can add the userAccountControl Attribute to the Machine Filter in the AD source. This will then bring back values of 4096 for Enabled and 4098 for Disabled. 

     

    I can certainly write policy around those values however before I do so... am I missing something with how CPPM handles Machine Authentication? I would expect it to fail with a disabled Machine Account. It appears it just checks for its existance and caches that. 

     

    Thanks