checking whether an AD accou t is enabled or disabled in FR 3.0.17

Alex Sharaz alex.sharaz at
Fri Jul 13 12:26:56 CEST 2018

I've been trialing eap-tls for users for quite a while. Unfortunately
our security people insisted that in addition to eap-tls I had to
check that the associated users AD account was also enabled. In
clearpass ( on site authentication service) this is a simple thing to

So on campus a user can use eap-tls on their client providing their AD
account is enabled. If account enabled Access-Accept, if not

However, our external facing RADIUS servers are FR 3.0.17 boxes acting
as our ORPS systems. Inbound from the outside world EAP-TLS requests
get handled by freeradius which then performs an OCSP validation

This all works except for the fact I'm not checking for an enabled AD
account. FR is configured to use winbindd. The TLS cert CN is of the
form <userid>-<4digit hex number>

Is there any way of me checking for an enabled AD account? e.g.
ntlm_auth using userid component of the CN and checking a status
response ? or another way ?


More information about the Freeradius-Users mailing list