Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2441
Views
5
Helpful
4
Replies

ISE COA after disable a user on AD ( how to kick automatically disabled user on AD )

Go to solution
eugeniodesideri
Level 1
Level 1

‎03-15-2021 07:33 AM

hi y'all.

I have a question , i womder if someone out there can suggest me the easiest way to automatically 

kick an authenticated user doing traffic over the network , after i disable his AD account.

 

Basically if an account has been disabled on AD the user can't join the network  , ofcourse.

but if a user is already authenticated inside the network and i disable his account on AD , untill 

a re-auth occurs the user keeps been connected and allowed to make traffic inside the network.

 

So , is there a quick way to re-asses his status on AD trough a keep alive or something that tells ISE to check if the user account is still valid  ? 

 

thanks 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to eugeniodesideri

‎03-15-2021 03:24 PM

I can only think of two possible ways to accomplish this:

  1. Use a super aggressive Reauth timer in the AuthZ Profile pushed by your AuthZ Policy for AD user/computer sessions. The downside is that this would apply to all AD sessions and drastically increase the amount of RADIUS events/logs; possibly impacting performance.
  2. Look into possibly using scripting on the AD side (maybe a PowerShell script) that both disables the user account and uses the REST API to find the MAC address associated with that particular user session and issues a COA.

Example AuthZ Profile setting:

Screen Shot 2021-03-16 at 9.17.13 am.png

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marcelo Morais
VIP
VIP

‎03-15-2021 08:14 AM

Hi @eugeniodesideri 

 please try:

in Context Visibility > Endpoints, filter by Username
on Change Authorization > CoA Session Terminate

Hope this helps !!!

0 Helpful

Go to solution
eugeniodesideri
Level 1
Level 1
In response to Marcelo Morais

‎03-15-2021 09:25 AM

Thanks for the answer , but as i wrote i would like this to happen automatically as i disable a user inside the AD.

Do you think is that something i can achieve?

 

thanks again 

 

Eugenio

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to eugeniodesideri

‎03-15-2021 03:24 PM

I can only think of two possible ways to accomplish this:

  1. Use a super aggressive Reauth timer in the AuthZ Profile pushed by your AuthZ Policy for AD user/computer sessions. The downside is that this would apply to all AD sessions and drastically increase the amount of RADIUS events/logs; possibly impacting performance.
  2. Look into possibly using scripting on the AD side (maybe a PowerShell script) that both disables the user account and uses the REST API to find the MAC address associated with that particular user session and issues a COA.

Example AuthZ Profile setting:

Screen Shot 2021-03-16 at 9.17.13 am.png

 

0 Helpful

Go to solution
eugeniodesideri
Level 1
Level 1
In response to Greg Gibbs

‎03-16-2021 01:43 AM

the REST API looks like a very smart solution ! thanks for the advice ! 

Customers Also Viewed These Support Documents