ā12-12-2013 06:33 AM - edited ā03-10-2019 09:11 PM
Hello,
I have typical deployment of EAP-TLS in wireless network, with ISE and AD. The "Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory", feature is activated.
The problem is, when user accound in AD is disabled, it still can authenticate to ISE without any issue ?
Untill user certificate is deleted from AD.
How is it possible to make sure that when user account is disabled in AD, it is unable to authenticate with EAP-TLS ?
ā12-12-2013 01:29 PM
I think this should be under operator control with the following attribute that can be used in the authorization policy to define a condition for what should be performed in such a case:
IdentityAccessRestricted that is created automatically in the active directory dictionary
ā12-13-2013 03:37 AM
Hello jrabinow,
If I understand correctly i should check IdentityAccessRestricted attribute in Autorization policy, and if it present then it means that user was disabled in AD, and denyaccess for user ?
thank you,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide