Security

Hi All

I have a situation where I need to verify a users AD account status when they MAC auth, after previously authenticating via a captive portal. My plan was to add another AD authentication source with a filter that matches the UPN to the Endpoints Username, and use the userAccountControl attribute, then delete all the other unused attributes that are added by default. The issue I am seeing is that when I try to delete the unused attributes from the new authentication source, I get an error saying that they are in use in some of my role mapping policies. The attributes are in use, but for my existing AD authentication source, not the one I'm just creating.

We have recently upgraded to 6.11, I tried to recreate the issue in my test environment but wasn't able to, the test servers are running 6.9.

Does anyone know if this is expected behaviour or is it likely to be a bug, and I need to open a TAC case.

Thanks

Dave

My query for this purpose.  Just add to the existing auth source.

******
<Active Directory Auth Source>
New filter "Custom-DisabledAccountCheck-Endpoint" to check if user account is disabled.
sAMAccountName will "Exist" if the account is disabled.

(&(&(userAccountControl:1.2.840.113556.1.4.803:=2)(samAccountType=805306368))(|(&(sAMAccountName=%{Endpoint:Username})(objectClass=user))(&(userPrincipalName=%{Endpoint:Username})(objectClass=user))))

- sAMAccountName: DisabledAccount-Endpoint, String