Security

Hello,

I'm looking to create a service/policy that uses EAP-TLS to authenticate user and machine certificates but for authorization ensures that the account is still in good standing in Active Directory.  Currently we're pulling the Subject CN and I have the policy authenticating valid certificates, but it's still authorizing the user regardless of the status of their account.  I've done this with other Radius products, just trying to figure out how to do it the CPPM way ;)

 

Thanks,

Greg

In the AD auth source you add the userAccountControl and use that attribute either (512 enabled or 514 disable) in your enforcement policies

Sent from Outlook for iPhone

Thanks Victor,

I think your answer is on the right track.  Can you send me some extra details on how to configure this?

 

Sorry for the lengthy gap, it's been a busy week of projects lately.

 

Thanks,

Greg

 

In your EAP-TLS authentication method, you would make sure that "authorization required" is enabled.  My apologies if you have already tried that.

 

http://www.arubanetworks.com/techdocs/ClearPass/Aruba_CPPMOnlineHelp/index.htm#CPPM_UserGuide/Auth/AuthMethod_eap-tls.htm?Highlight=eap-tlsauthorization