How to check if an AD account is disabled in ClearPass with the userAccountControl attribute
This article talks about adding UserAccountControl attribute of AD/LDAP to ClearPass.
If ClearPass is using AD/LDAP as an authentication source, It will authenticate any user which is present in the AD/LDAP even if the account is disabled if the AD/LDAP if the UserAccountControl attribute is not added.
Below are the steps to add this attribute.
Login to ClearPass and navigate to "Configuration » Authentication » Sources"
Click on the AD or LDAP server which we are using as an authentication source.
Click on the Attributes tab.
We have to add UserAccountControl under Authentication.
Click on Authentication.
Click on "Click to add" and add the attribute as shown below.
Save the configuration.userAccountControl added as an Authentication attribute.
Verify that AD is returning this attribute. Click on Authentication - > Browse.
On this Ldap Browser query for any user on AD and check if AD is returning the userAccountControl attribute.
This verifies that ClearPass is getting <userAccountControl attribute. When value of userAccountControl is 66050 then its disabled else the account is enabled.
We can also add new attributes based on our requirements. For more details on the Attributes list we can visit http://msdn.microsoft.com/en-us/library/windows/desktop/ms675090(v=vs.85).aspx