Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
495
Views
0
Helpful
2
Replies

ISE & AD EAP-TLS

ngtransge
Level 1
Level 1

ā€Ž12-12-2013 06:33 AM - edited ā€Ž03-10-2019 09:11 PM

Hello,

I have typical deployment of EAP-TLS in wireless network, with ISE and AD. The  "Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory", feature is activated.

The problem is, when user accound in AD is disabled, it still can authenticate to ISE without any issue ?

Untill user certificate is deleted from AD.

How is it possible to make sure that when user account is disabled in AD, it is unable to authenticate with EAP-TLS ?


Labels:
0 Helpful
2 Replies 2

jrabinow
Level 7
Level 7

ā€Ž12-12-2013 01:29 PM

I think this should be under operator control with the following attribute that can be used in the authorization policy to define a condition for what should be performed in such a case:

IdentityAccessRestricted   that is created automatically in the active directory dictionary

0 Helpful

ngtransge
Level 1
Level 1
In response to jrabinow

ā€Ž12-13-2013 03:37 AM

Hello jrabinow,

If I understand correctly i should check  IdentityAccessRestricted  attribute in Autorization policy, and if it present then it means that user was disabled in AD, and denyaccess for user ?

thank you,


0 Helpful
Customers Also Viewed These Support Documents