Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

using ldap errors to inform portal users reason auth faillure

This thread has been viewed 0 times

  • 1.  using ldap errors to inform portal users reason auth faillure

    MVP
    Posted Feb 13, 2014 08:29 AM

    So I have a customer where a portal is used to grant access to AD users.

    Their AD has a requirement to change passwords every x time. Problem however is that these users might never connect to the corporate network anymore as the portal is facing out to internet.

     

    When such a user account has an expired password he cannot log on anymore.
    Access tracker however shows a ietf reply-message with (a code for) the exact reason.

     

    Is there any way to leverage that ietf reply-message to redirect the user to a different portal where he can set a new password?

    Or in the very least translate that code and return an understandeable error instead of just failing?

     



  • 2.  RE: using ldap errors to inform portal users reason auth faillure

    EMPLOYEE
    Posted Feb 13, 2014 09:32 AM

    In 6.3 for Clearpass, we have introduced an exposed way of checking for account expiration.  Based on this, you can write a policy to redirect based on this value.



  • 3.  RE: using ldap errors to inform portal users reason auth faillure

    MVP
    Posted Feb 13, 2014 09:37 AM

    Details please.

    I'm using AD users and can see the IETF reply-messages.. but how do I turn that into something usefull?

    Since the AD passwd has expired we simply get presented a deny and any role we try pushing gets ignored.



  • 4.  RE: using ldap errors to inform portal users reason auth faillure

    EMPLOYEE
    Posted Feb 13, 2014 09:49 AM

    Hmmm...I reread your inquiry.  If the account is ALREADY expired, then it is a reject and I don't believe there is much we can do with that as it's a denial.  However, before the account expires, we can notify the user that it will expire.  Again, this is a new feature, so it's not something I've personally configured (yet)



  • 5.  RE: using ldap errors to inform portal users reason auth faillure

    MVP
    Posted Feb 13, 2014 09:54 AM

    We hjave that running with our the certificates. 

    This is a portal that authenticates AD users (not internal guests) so don't think there's an easy way to know when the passwd is going to expire or anything.

     

    Is there perhaps a way to return an accept even when the account doesn't authenticate?



  • 6.  RE: using ldap errors to inform portal users reason auth faillure

    MVP
    Posted Feb 14, 2014 11:46 AM

    So nobody with any brilliant ideas on how to get this working?



  • 7.  RE: using ldap errors to inform portal users reason auth faillure

    EMPLOYEE
    Posted Feb 15, 2014 08:31 AM

    Put a link to the password reset portal on the login page? .......:)



  • 8.  RE: using ldap errors to inform portal users reason auth faillure

    MVP
    Posted Feb 17, 2014 11:05 AM

    Fa from ideal as this portalis also available for guests but seeing as nobody comes up with a brilliant proposal I'm guessing it's pretty much the only option left.

     

    Has anybody got some more detail;s about this little bit of the 6.3 release notes perhaps:

    - Added the ability to verify whether an Active Directory account has expired. (#15552)

     

    Seems to be pretty much what I need, or is that only info for accesstracker, not towards the user?