Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Active AD Accounts vs. locked/disabled AD Accounts

mustang2v
Contributor
‎01-13-2016 04:35:PM
‎01-13-2016 04:35:PM

Active AD Accounts vs. locked/disabled AD Accounts

I am currently piloting VPN autoconnect with pulse secure client. Everything is working except for Pulse is allowing locked/disabled AD accounts to connect to VPN. I need a way for Pulse to check the status of the account in Active Directory, and if the account is locked/disabled, fail the VPN connection.
And i need this to work without any input from the user. I want all of this to be seamless to the enduser.

I am running 8.1R7 and using User Cert based authentication and LDAP group membership for authorization.
0 Kudos
6 REPLIES 6
PulseUser
Occasional Contributor
‎01-15-2016 02:15:PM
‎01-15-2016 02:15:PM

Re: Active AD Accounts vs. locked/disabled AD Accounts

I haven't seen this issue, but we aren't using cert-based auth. Just authenticating against their AD account.

If the certificate is valid, it will probably let them sign on. Are you revoking the certificate for disabled accounts?
0 Kudos
kita
Regular Contributor
‎01-16-2016 11:31:PM
‎01-16-2016 11:31:PM

Re: Active AD Accounts vs. locked/disabled AD Accounts

If you are using cert based authentication, it would not check if the account is locked. Since LDAP is used for authorization, you would need to check for an attribute that would correlated if an account is locked and use the results to perform a role map to no roles.

After reading some documentation from MS, it seems there is a large variety of statuses a user account can be in that would result in a locked account. My recommendation would be trying to use LDAP as the primary authentication with a certificate restriction on the realm. It would give similar behavior and would fail auth if the account is locked.
0 Kudos
mustang2v
Contributor
‎01-19-2016 06:37:PM
‎01-19-2016 06:37:PM

Re: Active AD Accounts vs. locked/disabled AD Accounts

Using LDAP for Authentication would still require user input. I am trying to avoid any input from the client. I tried using AD attribute, userAccountControl, for role based authorization but it never worked.
0 Kudos
mustang2v
Contributor
‎01-19-2016 07:39:PM
‎01-19-2016 07:39:PM

Re: Active AD Accounts vs. locked/disabled AD Accounts

played around with the AD attributes again. Got it working to a point. Pulse Secure connects but it puts you in a unusable role. Is there a way to have Pulse not connect at all?
0 Kudos
kcsvignesh
New Contributor
‎07-24-2020 03:38:PM
‎07-24-2020 03:38:PM

Re: Active AD Accounts vs. locked/disabled AD Accounts

Can youplease post the attributes for account disabled ?  which you tested... Thanks...

0 Kudos
pwallace
Community Manager
Community Manager
‎07-24-2020 03:49:PM
‎07-24-2020 03:49:PM

Re: Active AD Accounts vs. locked/disabled AD Accounts

This is a very old thread - I suggest you open a new topic if this is still a problem

© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.