I recently discovered that a disabled Windows AD Machine account still passes Machine Auth policy in Clearpass. (Tips:Role EQUALS [Machine Authenticated]).
Researching, I can add the userAccountControl Attribute to the Machine Filter in the AD source. This will then bring back values of 4096 for Enabled and 4098 for Disabled.
I can certainly write policy around those values however before I do so... am I missing something with how CPPM handles Machine Authentication? I would expect it to fail with a disabled Machine Account. It appears it just checks for its existance and caches that.
Thanks