checking whether an AD accou t is enabled or disabled in FR 3.0.17
I've been trialing eap-tls for users for quite a while. Unfortunately our security people insisted that in addition to eap-tls I had to check that the associated users AD account was also enabled. In clearpass ( on site authentication service) this is a simple thing to do. So on campus a user can use eap-tls on their client providing their AD account is enabled. If account enabled Access-Accept, if not Access-Reject. However, our external facing RADIUS servers are FR 3.0.17 boxes acting as our ORPS systems. Inbound from the outside world EAP-TLS requests get handled by freeradius which then performs an OCSP validation request. This all works except for the fact I'm not checking for an enabled AD account. FR is configured to use winbindd. The TLS cert CN is of the form <userid>-<4digit hex number>@york.ac.uk Is there any way of me checking for an enabled AD account? e.g. ntlm_auth using userid component of the CN and checking a status response ? or another way ? Rgs Alex
On Jul 13, 2018, at 6:26 AM, Alex Sharaz via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I've been trialing eap-tls for users for quite a while. Unfortunately our security people insisted that in addition to eap-tls I had to check that the associated users AD account was also enabled. In clearpass ( on site authentication service) this is a simple thing to do.
So on campus a user can use eap-tls on their client providing their AD account is enabled. If account enabled Access-Accept, if not Access-Reject.
That can be checked via an LDAP query.
However, our external facing RADIUS servers are FR 3.0.17 boxes acting as our ORPS systems. Inbound from the outside world EAP-TLS requests get handled by freeradius which then performs an OCSP validation request.
Which makes the AD queries unnecessary. But whatever...
This all works except for the fact I'm not checking for an enabled AD account. FR is configured to use winbindd. The TLS cert CN is of the form <userid>-<4digit hex number>@york.ac.uk
Is there any way of me checking for an enabled AD account? e.g. ntlm_auth using userid component of the CN and checking a status response ? or another way ?
Just use LDAP. Split the username via a regex, and then do an LDAP query to see if the account is enabled. Test via the LDAP client command line. Then use that in FreeRADIUS. if ("%{ldap:...}" ...) Alan DeKok.
On Fri, 2018-07-13 at 11:26 +0100, Alex Sharaz via Freeradius-Users wrote:
This all works except for the fact I'm not checking for an enabled AD account. FR is configured to use winbindd. The TLS cert CN is of the form <userid>-<4digit hex number>@york.ac.uk
Is there any way of me checking for an enabled AD account? e.g. ntlm_auth using userid component of the CN and checking a status response ? or another way ?
Split the CN up with a regex to get the username, then do an LDAP lookup against AD to check to see if the account is enabled or not. -- Matthew
participants (3)
-
Alan DeKok -
Alex Sharaz -
Matthew Newton