I am deploying Cisco ISE 2.3 for Device administration in our network. We use OpenLDAP servers as the External ID Store. In our current TACACS+ server setup, we have a script to compare shadow variables and determine account status and password aging. I need to implement the same check on ISE so that after Authorization stage, it checks if user's account is enabled and the password has not aged. Has anyone implemented a similar logic using ISE Admin Policy sets and User dictionary?
So far, I don't see many options in ISE dictionary to compare or transform dates. The imp variables are :
shadowExpire -- when the account expires and logins should no longer be allowed.
shadowLastChange --when the password was last changed
These values are number of days since Linux epoch (Jan 1 1970). ISE receives these attributes from the LDAP server and needs to compare it with current date and time to permit or deny access. For example,if shadowExpire = 18627, then this number needs to be converted to the valid date (Dec 31 2020). If the date is greater than today, then account is valid. So, the main catch is to translate this variable to a valid date. The Linux epoch Reference date can be defined in User variables.
Kindly share your insights if you have explored something similar. Thanks.