Security

Reply
Contributor II
Posts: 125
Registered: ‎05-19-2013

AD password change after expiration over wi-fi

[ Edited ]

Hi,

 

I am facing the following issue, i am unable to change password after the AD password expired.

 

We are doing PEAP-MsCHAPV2 without certificate validation. To get full access user and machine has to be authenticated.In clearpass, I have configured policies as follows:

 

1. if user belongs XYZ group and machine authenticated  give full access role.

2. If user is authenticated give limited access role.

 

 

Because of the above policies, When machine is authenticated during log off . No role has been assigned. So i couldnt change the password when it is expired.

 

I am in thought of adding a policy to the above policies like "if machine is authenticated give limited access role". When i do this machine gets an ip address during ctrl+alt+del screen. But my query is , what has to be allowed for that role to change the password.

 

or else should i give full access role to machine authentication as when we logonto the system, we wont be able to connect to network until and unless we provide username and password.

 

 

Thanks

srikanth soogoor

Frequent Contributor II
Posts: 118
Registered: ‎02-10-2011

Re: AD password change after expiration over wi-fi

I'll be curious to hear what the solution is as right now our users have to connect wired to get around that issue.

 

Guru Elite
Posts: 20,599
Registered: ‎03-29-2007

Re: AD password change after expiration over wi-fi

[ Edited ]

srikanthsoogoor wrote:

Hi,

 

I am facing the following issue, i am unable to change password after the AD password expired.

 

We are doing PEAP-MsCHAPV2 without certificate validation. To get full access user and machine has to be authenticated.In clearpass, I have configured policies as follows:

 

1. if user belongs XYZ group and machine authenticated  give full access role.

2. If user is authenticated give limited access role.

 

 

Because of the above policies, When machine is authenticated during log off . No role has been assigned. So i couldnt change the password when it is expired.

 

I am in thought of adding a policy to the above policies like "if machine is authenticated give limited access role". When i do this machine gets an ip address during ctrl+alt+del screen. But my query is , what has to be allowed for that role to change the password.

 

or else should i give full access role to machine authentication as when we logonto the system, we wont be able to connect to network until and unless we provide username and password.

 

 

Thanks

srikanth soogoor


If a device has machine authenticated, give it full access.  At that point the machine is at the ctrl-alt-delete screen and needs to do specific things in the background like group policy updates and not allowing all access blocks it.  If the device then fails user authentication, it will not be able to connect.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: AD password change after expiration over wi-fi

If I do machine authentication and give an up address to login into domain. If password is expired I won't be able to login Ri8 and if I login using cached credentials then I won't be able to connect network with user authentication as password is expired . If at all I write a policy "user belongs to xyz group and password expired attribute equals value" he will get onto network but when he wants to change password with ctrl alt del ....when it asks for old password and new password ...will AD ACCEPTS OLD PASSWORD AS IT IS EXPIRED and change to new password?????
Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: AD password change after expiration over wi-fi

Hi all,

 

I have a query regarding above issue, When wifi is on machine gets authenticated and stored in clear pass machine cache(We set it to 10 days).in And gets user authenticated after he logs in. He gets the full access role.

 

What happens if wifi is off during login. He logs in with cached credentials which are expired in domain. User will on wifi and tries to connect then user wont get authenticated. But machine is authenticated which checks in cache. Will it get any ip address from machine authenticated role. or else as user authentication is failed it wont connect to SSID? how its going to work??

Guru Elite
Posts: 20,599
Registered: ‎03-29-2007

Re: AD password change after expiration over wi-fi

[ Edited ]

If your client is configured for "Computer Only" or "Machine Only" authentication, a user will be able to get into their computer with cached credentials and change their password.  If you are doing "user and computer" authentication, and the user starts on the wifi at the ctrl-alt-delete screen, the laptop should be able to tell the user that their password is expiring and allow them to change it.  If you are doing "user and computer" authentication, and the computer permits the user to login with a cached and expired password, the wireless will not let them onto the network to change it, because they would not have a valid ip address.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: AD password change after expiration over wi-fi

ok.

You mean to say that, if is wifi is off during ctrl+alt+del screen and gets into computer with cached credentials which are expired . As authentication fails it wont get any ip address to change.

 

And if wifi is on during ctrl+alt+del, machine gets authenticated and it gets an ip address to communicate with domain controller and DC wont allow to login if the password is expired. If it allows login with valid credentials obviously they will be able to connect wifi.

 

Now, Can i assign same full access role to both machine authenticated and user authenticated.

 

Like

If user authenticated & user belongs to XYZ group and machine authenticated  [full access role]

If user authenticated                                                                                                          [pre provisioning role]

If machine authenticated                                                                                                  [full access role]---so that it can communicate with                                                                                                                                               DC and update GPO as you said earlier

 

 

But with above polices,as machine authenticated is in cache. If user logs in expired credentials with wfi off .user wont get authenticated. But machine authentication is done so policy manager may asisgn machine authenticated role ri8???

Guru Elite
Posts: 20,599
Registered: ‎03-29-2007

Re: AD password change after expiration over wi-fi

[ Edited ]

In the user context, a user must pass authentication to get an ip address.  The radius server will only send back a reject upon failed user authentication EVEN after passed machine authentication.  There is no way around this.

 

After a laptop has entered the user context, it will no longer send machine credentials for connectivity.  User credentials are required when in the user context and the connection will drop if the user fails even after successful machine authentication.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 125
Registered: ‎05-19-2013

Re: AD password change after expiration over wi-fi


cjoseph wrote:

In the user context, a user must pass authentication to get an ip address.  The radius server will only send back a reject upon failed user authentication EVEN after passed machine authentication.  There is no way around this.

 

After a laptop has entered the user context, it will no longer send machine credentials for connectivity.  User credentials are required when in the user context and the connection will drop if the user fails even after successful machine authentication.


can i apply the enforcement rules which i mentioned in the previous post and the order???

 

 

Guru Elite
Posts: 20,599
Registered: ‎03-29-2007

Re: AD password change after expiration over wi-fi


srikanthsoogoor wrote:

cjoseph wrote:

In the user context, a user must pass authentication to get an ip address.  The radius server will only send back a reject upon failed user authentication EVEN after passed machine authentication.  There is no way around this.

 

After a laptop has entered the user context, it will no longer send machine credentials for connectivity.  User credentials are required when in the user context and the connection will drop if the user fails even after successful machine authentication.


can i apply the enforcement rules which i mentioned in the previous post and the order???

 

 


No, because you can only apply enforcement rules with a successful 802.1x authentication.  Enforcement Policies are not executed with failed authentication in 802.1x



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: