How to check Valid account and Password expiry on Cisco ISE using OpenLDAP ID store

mitali02 · ‎01-26-2018

I am deploying Cisco ISE 2.3 for Device administration in our network. We use OpenLDAP servers as the External ID Store. In our current TACACS+ server setup, we have a script to compare shadow variables and determine account status and password aging. I need to implement the same check on ISE so that after Authorization stage, it checks if user's account is enabled and the password has not aged. Has anyone implemented a similar logic using ISE Admin Policy sets and User dictionary?

So far, I don't see many options in ISE dictionary to compare or transform dates. The imp variables are :

shadowExpire -- when the account expires and logins should no longer be allowed.

shadowLastChange --when the password was last changed

These values are number of days since Linux epoch (Jan 1 1970). ISE receives these attributes from the LDAP server and needs to compare it with current date and time to permit or deny access. For example,if shadowExpire = 18627, then this number needs to be converted to the valid date (Dec 31 2020). If the date is greater than today, then account is valid. So, the main catch is to translate this variable to a valid date. The Linux epoch Reference date can be defined in User variables.

Kindly share your insights if you have explored something similar. Thanks.

Octavian Szolga · ‎01-26-2018

Hi,
Not sure if it works and if by default ISE would convert linux epoch reference date into a valid date, but you can give it a go by using a sime condition like:
Session:current time Less Than MY_LDAP_CUSTOM_USER_ATTRIBUTE

Anyway, this would be the logical flow.

Regards,
Octavian