Solved: Unable to restrict disabled account to connect VPN

kcsvignesh · ‎07-25-2020

We recenlty identified our Pulse secure is allowing locked/disabled AD accounts to connect to VPN. We use certificate authentication and pulse validate the cert and it allows users to connect even if user account is locked out or disabled.
we writted a custom expression rule in Pulse to check the status of the account in AD to block if any users account is locked/disabled by assigned no role.

userAttr.lockouttime != 0 - Worked as expected.
userAttr.msDS-UserAccountDisabled != 0 -- > Disabled user account still connect to VPN. Please suggest. Thanks in advance.

version : 9.0R4.1 - PSA7000c.

kcsvignesh · ‎07-30-2020

Finally we found a solution for this, we added custom expression rule in role mapping to block disabled user account by assingned no role.

userattr.userAccountControl != 512

View solution in original post

shbeuving · ‎07-27-2020

Hi @kcsvignesh ,

Beside using Cert Auth on the user realm, you could also do Active Directory for user.

If then a user is locked, it isn't able to log in. You can then also do rolemapping based on LDAP group attributes.

Hope this works :-)

kcsvignesh · ‎07-30-2020

Finally we found a solution for this, we added custom expression rule in role mapping to block disabled user account by assingned no role.

userattr.userAccountControl != 512

View solution in original post

Unable to restrict disabled account to connect VPN

Unable to restrict disabled account to connect VPN

Re: Unable to restrict disabled account to connect VPN

Re: Unable to restrict disabled account to connect VPN

Re: Unable to restrict disabled account to connect VPN