Security

Hi,

 

I am facing the following issue, i am unable to change password after the AD password expired.

 

We are doing PEAP-MsCHAPV2 without certificate validation. To get full access user and machine has to be authenticated.In clearpass, I have configured policies as follows:

 

1. if user belongs XYZ group and machine authenticated  give full access role.

2. If user is authenticated give limited access role.

 

 

Because of the above policies, When machine is authenticated during log off . No role has been assigned. So i couldnt change the password when it is expired.

 

I am in thought of adding a policy to the above policies like "if machine is authenticated give limited access role". When i do this machine gets an ip address during ctrl+alt+del screen. But my query is , what has to be allowed for that role to change the password.

 

or else should i give full access role to machine authentication as when we logonto the system, we wont be able to connect to network until and unless we provide username and password.

 

 

Thanks

srikanth soogoor

I'll be curious to hear what the solution is as right now our users have to connect wired to get around that issue.

 

---

@srikanthsoogoor wrote:

Hi,

 

I am facing the following issue, i am unable to change password after the AD password expired.

 

We are doing PEAP-MsCHAPV2 without certificate validation. To get full access user and machine has to be authenticated.In clearpass, I have configured policies as follows:

 

1. if user belongs XYZ group and machine authenticated  give full access role.

2. If user is authenticated give limited access role.

 

 

Because of the above policies, When machine is authenticated during log off . No role has been assigned. So i couldnt change the password when it is expired.

 

I am in thought of adding a policy to the above policies like "if machine is authenticated give limited access role". When i do this machine gets an ip address during ctrl+alt+del screen. But my query is , what has to be allowed for that role to change the password.

 

or else should i give full access role to machine authentication as when we logonto the system, we wont be able to connect to network until and unless we provide username and password.

 

 

Thanks

srikanth soogoor

---

If a device has machine authenticated, give it full access.  At that point the machine is at the ctrl-alt-delete screen and needs to do specific things in the background like group policy updates and not allowing all access blocks it.  If the device then fails user authentication, it will not be able to connect.

 

If I do machine authentication and give an up address to login into domain. If password is expired I won't be able to login Ri8 and if I login using cached credentials then I won't be able to connect network with user authentication as password is expired . If at all I write a policy "user belongs to xyz group and password expired attribute equals value" he will get onto network but when he wants to change password with ctrl alt del ....when it asks for old password and new password ...will AD ACCEPTS OLD PASSWORD AS IT IS EXPIRED and change to new password?????

Hi all,

 

I have a query regarding above issue, When wifi is on machine gets authenticated and stored in clear pass machine cache(We set it to 10 days).in And gets user authenticated after he logs in. He gets the full access role.

 

What happens if wifi is off during login. He logs in with cached credentials which are expired in domain. User will on wifi and tries to connect then user wont get authenticated. But machine is authenticated which checks in cache. Will it get any ip address from machine authenticated role. or else as user authentication is failed it wont connect to SSID? how its going to work??

If your client is configured for "Computer Only" or "Machine Only" authentication, a user will be able to get into their computer with cached credentials and change their password.  If you are doing "user and computer" authentication, and the user starts on the wifi at the ctrl-alt-delete screen, the laptop should be able to tell the user that their password is expiring and allow them to change it.  If you are doing "user and computer" authentication, and the computer permits the user to login with a cached and expired password, the wireless will not let them onto the network to change it, because they would not have a valid ip address.

ok.

You mean to say that, if is wifi is off during ctrl+alt+del screen and gets into computer with cached credentials which are expired . As authentication fails it wont get any ip address to change.

 

And if wifi is on during ctrl+alt+del, machine gets authenticated and it gets an ip address to communicate with domain controller and DC wont allow to login if the password is expired. If it allows login with valid credentials obviously they will be able to connect wifi.

 

Now, Can i assign same full access role to both machine authenticated and user authenticated.

 

Like

If user authenticated & user belongs to XYZ group and machine authenticated  [full access role]

If user authenticated                                                                                                          [pre provisioning role]

If machine authenticated                                                                                                  [full access role]---so that it can communicate with                                                                                                                                               DC and update GPO as you said earlier

 

 

But with above polices,as machine authenticated is in cache. If user logs in expired credentials with wfi off .user wont get authenticated. But machine authentication is done so policy manager may asisgn machine authenticated role ri8???

In the user context, a user must pass authentication to get an ip address.  The radius server will only send back a reject upon failed user authentication EVEN after passed machine authentication.  There is no way around this.

 

After a laptop has entered the user context, it will no longer send machine credentials for connectivity.  User credentials are required when in the user context and the connection will drop if the user fails even after successful machine authentication.

---

@cjoseph wrote:

In the user context, a user must pass authentication to get an ip address.  The radius server will only send back a reject upon failed user authentication EVEN after passed machine authentication.  There is no way around this.

 

After a laptop has entered the user context, it will no longer send machine credentials for connectivity.  User credentials are required when in the user context and the connection will drop if the user fails even after successful machine authentication.

---

can i apply the enforcement rules which i mentioned in the previous post and the order???

 

 

---

@srikanthsoogoor wrote:

---

@cjoseph wrote:

In the user context, a user must pass authentication to get an ip address.  The radius server will only send back a reject upon failed user authentication EVEN after passed machine authentication.  There is no way around this.

 

After a laptop has entered the user context, it will no longer send machine credentials for connectivity.  User credentials are required when in the user context and the connection will drop if the user fails even after successful machine authentication.

---

can i apply the enforcement rules which i mentioned in the previous post and the order???

 

 

---

No, because you can only apply enforcement rules with a successful 802.1x authentication.  Enforcement Policies are not executed with failed authentication in 802.1x

What is the possible way for computer to communicate with DC during logon screen if i dont assign a role to it. How does domain controller checks whether user is using valid credentials to enter into machine which is part of domain like LAN until and unless it as an ip address during logon screen after machine authentication.Without ip address how will computer understands from DC that password is expired or it has to be changed..

 

can you please suggest how to write rules in my scenario

---

@srikanthsoogoor wrote:

What is the possible way for computer to communicate with DC during logon screen if i dont assign a role to it. How does domain controller checks whether user is using valid credentials to enter into machine which is part of domain like LAN until and unless it as an ip address during logon screen after machine authentication.Without ip address how will computer understands from DC that password is expired or it has to be changed..

 

can you please suggest how to write rules in my scenario

---

I cannot suggest rules.  I can only suggest a strategy:

 

Make sure you have it configured in group policy to warn users 5 days before their password expires.  They will get the change notification over wireless.  If they do not change it they will be locked out until they plug into the wired network.  That is the best strategy to have.  If a user allows his/her password to expire, even after they get a warning, it will be painful..

 

ok i got it.

 

The problem is over wifi, clients are logging in using cached credentials where the credentials are not checked during logging in against domain controller even wifi is on as no role has ben assigned for machine authentication in clear pass.So client is thrown out of network  if password is expired where he wouldnt be able to change Password  during ctrl+del+screen

 So i thought of stopping the users logging in with cached credentials by assigning a role when machine authentication is done.If i assign a role it will get ip address. So that it machine can check against domain controller and they will be able to get into machine with valid credentials and no hiccups in connecting to wifi as we use windows logon username for authentication.

 

 

---

@srikanthsoogoor wrote:

ok i got it.

 

The problem is over wifi, clients are logging in using cached credentials where the credentials are not checked during logging in against domain controller even wifi is on as no role has ben assigned for machine authentication in clear pass.So client is thrown out of network  if password is expired where he wouldnt be able to change Password  during ctrl+del+screen

 So i thought of stopping the users logging in with cached credentials by assigning a role when machine authentication is done.If i assign a role it will get ip address. So that it machine can check against domain controller and they will be able to get into machine with valid credentials and no hiccups in connecting to wifi as we use windows logon username for authentication.

 

 

---

Unfortunately, that would complicate things.  Computers need to have full access to the network when at the ctrl-alt-delete screen or when machine authentication has taken place.  Many users do not get group policy correctly or login with cached credentials onsite when machine authentication does not execute or is not configured properly.   Please make sure that the computer has full access to the network, when it is at the ctrl-alt-delete screen to ensure that domain access is fully available.  That is the primary solution to ensure that users do not login with expired cached credentials.  If you are giving it a special role that blocks any traffic during machine authentication, you risk having users login  with cached credentials, which would create the issue that you are seeing.

 

If in Clearpass you checked to see if the memberOf attribute contains "Domain Computers" then permit full access, that would detect when a computer is at the ctrl-alt-delete screen and give it full access.  Unfortunately, using the built-in [Machine Authenticated] role in ClearPass only will detect if a device EVER passed machine authentication.  It does not specify if the CURRENT incoming authentication is for machine authentication.  Checking to see if the memberOf attribute contains "Domain Computers" checks to see if the current incoming authentication is that of a domain computer.

When we are using cached credentials which are expired, user will pass machine but not the user.

 

To change the passowrd now we are connecting to LAN and changing it manually.Is there any way to do in Wireless as LAN ton change the password instead of using LAN or asking admin to reset the password????

Laptops only pass machine authentication (1) when the machine boots up (2) when the user logs off of his/her user session.

 

If machine authentication is actually working in your environment, it should not let your user get into the machine with expired credentials, because it should have an ip address at the ctrl-alt-delete screen, so it should reach the domain and ask for real, working credentials.  I would check to see if your machine authentication is really working.

 

Does your machine get an ip address at the ctrl-alt-delete screen before a user logs in?  Can you do things like stop and start services and open a share to the machine while the machine is at the ctrl-alt-delete screen?  If not, machine authentication is not working and needs to be fixed.

 

---

@cjoseph wrote:

Laptops only pass machine authentication (1) when the machine boots up (2) when the user logs off of his/her user session.

 

If machine authentication is actually working in your environment, it should not let your user get into the machine with expired credentials, because it should have an ip address at the ctrl-alt-delete screen, so it should reach the domain and ask for real, working credentials.  I would check to see if your machine authentication is really working.

 

Does your machine get an ip address at the ctrl-alt-delete screen before a user logs in?  Can you do things like stop and start services and open a share to the machine while the machine is at the ctrl-alt-delete screen?  If not, machine authentication is not working and needs to be fixed.

 

---

 

No it doesnt get any ip address as no role has been assigned for only machine authentication. If clearpass check only machine it sends reject.  Now i am planning assign a full access role and vlan to it. So that it gets an ip address and can check the credentials.

 

Thanks 

Srikanth