https://community.cisco.com/t5/network-access-control/ise-ad-eap-tls/m-p/2411287#M89288 <HTML><HEAD></HEAD><BODY><P>Hello jrabinow,</P><P></P><P></P><P>If I understand correctly i should check&nbsp; <SPAN style="font-size: 10pt;"><STRONG>IdentityAccessRestricted&nbsp; </STRONG>attribute in Autorization policy, and if it present then it means that user was disabled in AD, and denyaccess for user ?</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">thank you,</SPAN></P><P></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P></BODY></HTML> Fri, 13 Dec 2013 11:37:55 GMT ngtransge 2013-12-13T11:37:55Z https://community.cisco.com/t5/network-access-control/ise-ad-eap-tls/m-p/2411285#M89279 <P>Hello,</P><P></P><P></P><P>I have typical deployment of EAP-TLS in wireless network, with ISE and AD. The&nbsp; <SPAN style="font-size: 10pt;">"Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active </SPAN><SPAN style="font-size: 10pt;">Directory", feature is activated.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">The problem is, when user accound in AD is disabled, it still can authenticate to ISE without any issue ?</SPAN></P><P><SPAN style="font-size: 10pt;">Untill user certificate is deleted from AD.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">How is it possible to make sure that when user account is disabled in AD, it is unable to authenticate with EAP-TLS ?</SPAN></P><P></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P> Mon, 11 Mar 2019 04:11:13 GMT https://community.cisco.com/t5/network-access-control/ise-ad-eap-tls/m-p/2411285#M89279 ngtransge 2019-03-11T04:11:13Z https://community.cisco.com/t5/network-access-control/ise-ad-eap-tls/m-p/2411286#M89282 <HTML><HEAD></HEAD><BODY><P>I think this should be under operator control with the following attribute that can be used in the authorization policy to define a condition for what should be performed in such a case:</P><P></P><P>IdentityAccessRestricted&nbsp;&nbsp; that is created automatically in the active directory dictionary</P></BODY></HTML> Thu, 12 Dec 2013 21:29:31 GMT https://community.cisco.com/t5/network-access-control/ise-ad-eap-tls/m-p/2411286#M89282 jrabinow 2013-12-12T21:29:31Z https://community.cisco.com/t5/network-access-control/ise-ad-eap-tls/m-p/2411287#M89288 <HTML><HEAD></HEAD><BODY><P>Hello jrabinow,</P><P></P><P></P><P>If I understand correctly i should check&nbsp; <SPAN style="font-size: 10pt;"><STRONG>IdentityAccessRestricted&nbsp; </STRONG>attribute in Autorization policy, and if it present then it means that user was disabled in AD, and denyaccess for user ?</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">thank you,</SPAN></P><P></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P></BODY></HTML> Fri, 13 Dec 2013 11:37:55 GMT https://community.cisco.com/t5/network-access-control/ise-ad-eap-tls/m-p/2411287#M89288 ngtransge 2013-12-13T11:37:55Z