checking whether an AD accou t is enabled or disabled in FR 3.0.17
Alex Sharaz
alex.sharaz at york.ac.uk
Fri Jul 13 12:26:56 CEST 2018
I've been trialing eap-tls for users for quite a while. Unfortunately
our security people insisted that in addition to eap-tls I had to
check that the associated users AD account was also enabled. In
clearpass ( on site authentication service) this is a simple thing to
do.
So on campus a user can use eap-tls on their client providing their AD
account is enabled. If account enabled Access-Accept, if not
Access-Reject.
However, our external facing RADIUS servers are FR 3.0.17 boxes acting
as our ORPS systems. Inbound from the outside world EAP-TLS requests
get handled by freeradius which then performs an OCSP validation
request.
This all works except for the fact I'm not checking for an enabled AD
account. FR is configured to use winbindd. The TLS cert CN is of the
form <userid>-<4digit hex number>@york.ac.uk
Is there any way of me checking for an enabled AD account? e.g.
ntlm_auth using userid component of the CN and checking a status
response ? or another way ?
Rgs
Alex
More information about the Freeradius-Users
mailing list