Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE & AD EAP-TLS

Hello,

I have typical deployment of EAP-TLS in wireless network, with ISE and AD. The  "Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory", feature is activated.

The problem is, when user accound in AD is disabled, it still can authenticate to ISE without any issue ?

Untill user certificate is deleted from AD.

How is it possible to make sure that when user account is disabled in AD, it is unable to authenticate with EAP-TLS ?


2 REPLIES
Gold

ISE & AD EAP-TLS

I think this should be under operator control with the following attribute that can be used in the authorization policy to define a condition for what should be performed in such a case:

IdentityAccessRestricted   that is created automatically in the active directory dictionary

New Member

ISE & AD EAP-TLS

Hello jrabinow,

If I understand correctly i should check  IdentityAccessRestricted  attribute in Autorization policy, and if it present then it means that user was disabled in AD, and denyaccess for user ?

thank you,


205
Views
0
Helpful
2
Replies
CreatePlease to create content