Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

[How-To]: Enforce policy based on Active Directory Password Expiry

This thread has been viewed 17 times

  • 1.  [How-To]: Enforce policy based on Active Directory Password Expiry

    Posted Sep 21, 2020 04:29 PM

    A brief how-to on applying policy based on the Active Directory: Password Expiry attribute. This will be quick and won't be too detailed.

     

    Environment:

    CPPM: 6.9.1

    Windows Active Directory (Server 2016)

     

    Overview:

    Recently a customer asked how to handle policy around password expiration. If they can't connect when their password is expired, then how can they reset it?


    I did not want to standup SCSM or something similar for self-service PW reset, and telling them to join the Guest network is not an answer. The real answer is to be proactive. This is what I came up with.

     

    I came up with a new [Time Source] filter that will take the 

    msDS-UserPasswordExpiryTimeComputed

     entry and convert it into a Linux timestamp reduced to days.

     

    [Time Source] filter:

    SELECT ceil((((%{Authorization:AD Source:Password Expire}/10000000) - 11644473600) - (EXTRACT (EPOCH FROM NOW()))) / 86400) AS pw_expire_days

     

     

    You will also have to setup an Active Directory filter to pull the msDS-UserPasswordExpiryTimeComputed attribute from AD. This is not in the default AD authentication source by default.

    NOTE: The AD filter alias you use must be reflected properly in the [Time Source] filter because this data will be pulled dynamically upon every auth request to CPPM.

    After this is completed you can then apply policy by evaluating how far out the password is set to expire. 

    For example:

     

    (Authorization:[Time Source]:PW Expire Days  LESS_THAN  7) AOS - Wireless - Role - pw_reset_role
ENDPOINT - SET PW_NOTICE_RECEIVED
SESSION TIMEOUT - 60

     

    One scenario that I have tested:

    • Assign user to role with a CP assigned informing them that their PW will expire in X days.
    • Set an Endpoint attribute that they've received the notice (so they don't keep hitting the CP)
    • Session:Timeout so they aren't stuck in that role.

    Another simpler scenario is just to fire the user an email to their AD email field that their PW will expire in X days.

     

    NOTE: I didn't provide too much detail as I just wanted to share the [Time Source] filter in case it may help someone else out in the future.