Security

last person joined: 19 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

802.1x - Windows Password Issue

This thread has been viewed 2 times

  • 1.  802.1x - Windows Password Issue

    Posted Jun 21, 2012 01:30 PM

    Helloexperts,

     

    We are using 802.1x authentication and it works fine. 

     

    Some users have laptops and desktops, sometimes they change the password using the wireless network, other use the wired network.

     

    When passwords are changed using the wireless network, everything works fine, but when passwords are changed through the wired network, some problems occur.

     

    To login again on laptops users must enter the old password, only after the login, the new password is requested again and the users have access to wireless network.

     

    The machines of the users are a mix of Windows XP, Vista and 7.

     

    Anyone had this problem?

     

    Is there anything I can do to solve this problem?

     

    Regards 

     

    Thiago Araujo



  • 2.  RE: 802.1x - Windows Password Issue

    Posted Jun 21, 2012 03:24 PM
      |   view attached

    It sounds as though you have your laptops setup to only use user authentication, and not machine authentication.   If I am wrong, ignore this long winded explanation.....

     

    What I mean by that is that when the user changes the password on a desktop, then goes over to a laptop, the laptop is not on the wireless network yet....so when they log in (CTRL+ALT+DEL) they are logging into the laptop with cached credentials.  The reason for this is b/c the laptop is not on the wireless network at the time of user login and can't talk to a domain controller to use the new password.  Then, once logged in, the wireless kicks in and requests their new updated password.  

     

    I'd suggest you look at enabling machine authentication on the laptops.   You don't have to use the "enforce machine authentication" within the dot1x profile if you don't want to, but you should look at the wireless settings on the Windows clients to allow for either user or machine (will show up as host\computername in the user table).    If you do this, you'll need to make sure your Radius solution supports machine authentication and that are not doing EAP termination on the controller. 

     

    I've attached a screenshot of the Windows 7 configuration option.  This is something you can push out with Group Policy if you desire.    By allowing the computers to authenticate, you also get the benefit of group policy application at login and logon scripts/etc.

     

     



  • 3.  RE: 802.1x - Windows Password Issue

    Posted Jun 22, 2012 09:08 AM

    Hi clembo, 

     

    Thanks for your explanation.

     

    I'll check this informations and try these settings.

     

    I think this is an OS limitation, but I'm trying to work around this problem somehow.

     

     



  • 4.  RE: 802.1x - Windows Password Issue

    Posted May 12, 2014 04:42 PM

    OK have you gave it a try , I am still facing issue and looking for Some soluction.



  • 5.  RE: 802.1x - Windows Password Issue

    Posted May 15, 2014 01:51 PM
    @MK_1707 wrote:

    OK have you gave it a try , I am still facing issue and looking for Some soluction.

    probably a better idea to start a new thread and provide some more info on your setup and issue.