cancel
Showing results for 
Search instead for 
Did you mean: 

Active AD Accounts vs. locked/disabled AD Accounts

Highlighted
Contributor

Active AD Accounts vs. locked/disabled AD Accounts

I am currently piloting VPN autoconnect with pulse secure client. Everything is working except for Pulse is allowing locked/disabled AD accounts to connect to VPN. I need a way for Pulse to check the status of the account in Active Directory, and if the account is locked/disabled, fail the VPN connection.
And i need this to work without any input from the user. I want all of this to be seamless to the enduser.

I am running 8.1R7 and using User Cert based authentication and LDAP group membership for authorization.
4 REPLIES 4
Highlighted
Occasional Contributor

Re: Active AD Accounts vs. locked/disabled AD Accounts

I haven't seen this issue, but we aren't using cert-based auth. Just authenticating against their AD account.

If the certificate is valid, it will probably let them sign on. Are you revoking the certificate for disabled accounts?
Highlighted
Community Manager

Re: Active AD Accounts vs. locked/disabled AD Accounts

If you are using cert based authentication, it would not check if the account is locked. Since LDAP is used for authorization, you would need to check for an attribute that would correlated if an account is locked and use the results to perform a role map to no roles.

After reading some documentation from MS, it seems there is a large variety of statuses a user account can be in that would result in a locked account. My recommendation would be trying to use LDAP as the primary authentication with a certificate restriction on the realm. It would give similar behavior and would fail auth if the account is locked.
Highlighted
Contributor

Re: Active AD Accounts vs. locked/disabled AD Accounts

Using LDAP for Authentication would still require user input. I am trying to avoid any input from the client. I tried using AD attribute, userAccountControl, for role based authorization but it never worked.
Highlighted
Contributor

Re: Active AD Accounts vs. locked/disabled AD Accounts

played around with the AD attributes again. Got it working to a point. Pulse Secure connects but it puts you in a unusable role. Is there a way to have Pulse not connect at all?