Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Change Expired Password Over Wifi

This thread has been viewed 1 times

  • 1.  Change Expired Password Over Wifi

    Posted Jul 08, 2013 06:18 PM

    In our environment, if a user does not change their domain password and lets it expire, they'll get disconnected from wireless and are unable to update their password over wifi.  They have to connect to a wired port to update their password, then are able to connect back to wifi.  I'd like to resolve this if possible.

     

    We require machine auth + user auth (EAP-PEAP) to connect to our network.  Once the user loses connectivity because the password has expired, they'll log off and attempt to log back in which should prompt them to change their password.  Since these are all Win7 machines, they'll machine auth at the logon screen which will give them limited connectivity to the network.  The machine auth policy includes IP access to all Win DC's, and the usual DHCP, DNS, etc.  I would think this is enough to be able to change their password, but for some reason it is not.  We're using ClearPass for wireless authentication, and I'm wondering if CP is part of the problem or if I need to re-evaluate my machine auth policy.

     

    Any help is appreciated.  Thanks.



  • 2.  RE: Change Expired Password Over Wifi

    EMPLOYEE
    Posted Jul 08, 2013 08:28 PM

    Anything that machine authenticates should have a wide open role.  That will allow your user to change passwords at the ctrl-alt-delete screen.



  • 3.  RE: Change Expired Password Over Wifi

    Posted Jul 09, 2013 01:54 PM

    That is an issue I've fought for years.  The bottom line is "it is a feature of Microsoft" because of the way the information is sent back through the radius server.  It has to do with the actual response given not matching what the Radius server should see as a "Yes, I'll pass that on" response.   CJoseph would definitely know but I've never seen anyone come up with something that works...



  • 4.  RE: Change Expired Password Over Wifi

    EMPLOYEE
    Posted Jul 09, 2013 02:20 PM

    Pdavis,

     

    This routinely works at quite a few if not all environments, if done right.  I suggest that you open a case with TAC if it is not working..



  • 5.  RE: Change Expired Password Over Wifi
    Best Answer

    Posted Aug 20, 2013 04:34 PM

    I just resolved my problem.

     

    We use Microsoft Direct Access in our environment and the probe that it sends to determine if the computer is on the network was failing because the WLAN firewall blocked it.  When the probe fails, Direct Access drops all corporate DNS requests, resulting in logon servers being inaccessible.  Creating a firewall rule to allow the DA probe fixed our issue.