Troy,
Awesome! It took me a little bit to figure out since this isn't an area that I often touch. I'm going to put your information together with my post from a few months back. I'm writing up the below so I don't forget:
Here's the full steps to pull it off:
Go to Configuration > Authentication > Sources > "Your AD Server"
1. Click on the "Attributes" tab
2. Click on "Add More Filters"
3. Click on the "Configuration" tab
4. Under "Filter Name" enter something relevant for you. I'm going to call it ToP-Test2
5. Under "Filter Query" enter the following:
(&(sAMAccountName=%{Authentication:Username})(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
6. Under "Name" enter the following: sAMAccountName
7. Under "Alias Name" enter the following: ToP-ActiveAccount
8. Under "Data Type" select "String"
9. Under "Enabled As" check the "Attribute" box
Go to the Wireless 802.1X service under Configuration > Services > "Your 802.1X wireless service"
1. Go to Roles > Modify the Role Mapping for this service
2. Go to Mapping Rules > Click on "Add Rule"
i. Type = Authorization:AD
ii. Name = ToP-ActiveAccount
iii. Operator = NOT_EXISTS
iv. Role Name = "Deny All"
v. Click "Save"
3. Go to Enforcement > Modify the Enforcement Policy
4. Go to Rules > Click on "Add Rule"
i. Type = Tips
ii. Name = Role
iii. Operator = EQUALS
iv. Value = Deny All
v. Enforcement Profiles > Profiles Name > [RADIUS] [ Deny Access Profile ]
vi. Click "Save"
5. Move this Enforcement profile to the top of the list and click "Save" in the bottom right-hand corner
To verify that it is working, go to Access Tracker > Input > Authorization Attributes. Active AD accounts should appear as the sAMAaccount username to the right of something similar to "Authorization:Windows-2012:ToP-ActiveAccount." A disabled account in AD will not be present.