Security

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
Guest Blogger

ClearPass - check AD accountExpires attribute

I would like to check the AD attribute "accountExpires". The value that CPPM uses has a strange format. I attached a screenshot of the value. The customer would like to block accounts (MAC auth from endpoints) which are expired.

 

Does anybody know how I can check if the accountExpires date compared to "now" is in the past? 

 

First I tried to match the attribute UserAccountControl, but that value doesn't change when the account is expired. It only changes when the account is disabled.

 

@rene_booches | AMFX #26, ACMX #438, ACCX #725, ACDX #760, CCNP R&S, CEH | Co-owner/Solution Specialist@4IP / blog owner@booches.nl

Accepted Solutions
Highlighted
Guest Blogger

Re: ClearPass - check AD accountExpires attribute

Hmmm, I found the answer myself.

 

Just use the build-in Time Source filter "Current Time MS"..

 

STUPID ME!!!

 

@rene_booches | AMFX #26, ACMX #438, ACCX #725, ACDX #760, CCNP R&S, CEH | Co-owner/Solution Specialist@4IP / blog owner@booches.nl

View solution in original post


All Replies
Highlighted
Guest Blogger

Re: ClearPass - check AD accountExpires attribute

Hmmm, I found the answer myself.

 

Just use the build-in Time Source filter "Current Time MS"..

 

STUPID ME!!!

 

@rene_booches | AMFX #26, ACMX #438, ACCX #725, ACDX #760, CCNP R&S, CEH | Co-owner/Solution Specialist@4IP / blog owner@booches.nl

View solution in original post

Highlighted
New Contributor

Re: ClearPass - check AD accountExpires attribute

,

 

Could you provide a screenshot of where to add the filter? Did you add an SQL filter to the Active Directory source? Or was this added to the time source filters?

 

Thank you,

Josue Ruiz

CCNA, CWNA, ACMA
Highlighted
Aruba Employee

Re: ClearPass - check AD accountExpires attribute

Have a look at my setup.

I've also changed the LDAP search so that it will match either a SAM or the uPN

(|(&(sAMAccountName=%{Authentication:Username})(objectClass=user))(&(userPrincipalName=%{Authentication:Username})(objectClass=user)))

Also note the Microsoft time is different to Linux. It is based on a 64 bit number starting in 00:00:00 January 1st 1601 (although Pope Gregory XIII actually signed the creation of the new calendar (Gregorian) on October 1582 - go figure!) in 100ms steps.

To compare to the ClearPass (Linux) you will need to use [Time Source]:Now MS time - hence you can do logical comparisons .

Hopefully the other screenshots will help.

Highlighted
New Contributor

Re: ClearPass - check AD accountExpires attribute

Ah! Thank you, that makes sense now.

 

 

CCNA, CWNA, ACMA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: