checking whether an AD accou t is enabled or disabled in FR 3.0.17
Alan DeKok
aland at deployingradius.com
Fri Jul 13 13:19:41 CEST 2018
On Jul 13, 2018, at 6:26 AM, Alex Sharaz via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I've been trialing eap-tls for users for quite a while. Unfortunately
> our security people insisted that in addition to eap-tls I had to
> check that the associated users AD account was also enabled. In
> clearpass ( on site authentication service) this is a simple thing to
> do.
>
> So on campus a user can use eap-tls on their client providing their AD
> account is enabled. If account enabled Access-Accept, if not
> Access-Reject.
That can be checked via an LDAP query.
> However, our external facing RADIUS servers are FR 3.0.17 boxes acting
> as our ORPS systems. Inbound from the outside world EAP-TLS requests
> get handled by freeradius which then performs an OCSP validation
> request.
Which makes the AD queries unnecessary. But whatever...
> This all works except for the fact I'm not checking for an enabled AD
> account. FR is configured to use winbindd. The TLS cert CN is of the
> form <userid>-<4digit hex number>@york.ac.uk
>
> Is there any way of me checking for an enabled AD account? e.g.
> ntlm_auth using userid component of the CN and checking a status
> response ? or another way ?
Just use LDAP. Split the username via a regex, and then do an LDAP query to see if the account is enabled.
Test via the LDAP client command line. Then use that in FreeRADIUS.
if ("%{ldap:...}" ...)
Alan DeKok.
More information about the Freeradius-Users
mailing list