cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to restrict disabled account to connect VPN

SOLVED
Highlighted
New Contributor

Unable to restrict disabled account to connect VPN

We recenlty identified our Pulse secure is allowing locked/disabled AD accounts to connect to VPN. We use certificate authentication and pulse validate the cert and it allows users to connect even if user account is locked out or disabled.
we writted a custom expression rule in Pulse to check the status of the account in AD to block if any users account is locked/disabled by assigned no role.

userAttr.lockouttime != 0  - Worked as expected.
userAttr.msDS-UserAccountDisabled != 0 -- > Disabled user account still connect to VPN. Please suggest.   Thanks in advance.

 

version : 9.0R4.1 - PSA7000c.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
New Contributor

Re: Unable to restrict disabled account to connect VPN

Finally we found a solution for this, we added custom expression rule in role mapping to block disabled user account by assingned no role.

 

userattr.userAccountControl != 512

View solution in original post

2 REPLIES 2
Highlighted
Contributor

Re: Unable to restrict disabled account to connect VPN

Hi @kcsvignesh ,

 

Beside using Cert Auth on the user realm, you could also do Active Directory for user. 

If then a user is locked, it isn't able to log in. You can then also do rolemapping based on LDAP group attributes. 

 

Hope this works :-) 

Highlighted
New Contributor

Re: Unable to restrict disabled account to connect VPN

Finally we found a solution for this, we added custom expression rule in role mapping to block disabled user account by assingned no role.

 

userattr.userAccountControl != 512

View solution in original post