Security

Reply
MVP
Posts: 1,110
Registered: ‎10-11-2011

Change Expired Password Over Wifi

In our environment, if a user does not change their domain password and lets it expire, they'll get disconnected from wireless and are unable to update their password over wifi.  They have to connect to a wired port to update their password, then are able to connect back to wifi.  I'd like to resolve this if possible.

 

We require machine auth + user auth (EAP-PEAP) to connect to our network.  Once the user loses connectivity because the password has expired, they'll log off and attempt to log back in which should prompt them to change their password.  Since these are all Win7 machines, they'll machine auth at the logon screen which will give them limited connectivity to the network.  The machine auth policy includes IP access to all Win DC's, and the usual DHCP, DNS, etc.  I would think this is enough to be able to change their password, but for some reason it is not.  We're using ClearPass for wireless authentication, and I'm wondering if CP is part of the problem or if I need to re-evaluate my machine auth policy.

 

Any help is appreciated.  Thanks.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 20,007
Registered: ‎03-29-2007

Re: Change Expired Password Over Wifi

Anything that machine authenticates should have a wide open role.  That will allow your user to change passwords at the ctrl-alt-delete screen.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Frequent Contributor II
Posts: 110
Registered: ‎12-07-2007

Re: Change Expired Password Over Wifi

That is an issue I've fought for years.  The bottom line is "it is a feature of Microsoft" because of the way the information is sent back through the radius server.  It has to do with the actual response given not matching what the Radius server should see as a "Yes, I'll pass that on" response.   CJoseph would definitely know but I've never seen anyone come up with something that works...

Guru Elite
Posts: 20,007
Registered: ‎03-29-2007

Re: Change Expired Password Over Wifi

Pdavis,

 

This routinely works at quite a few if not all environments, if done right.  I suggest that you open a case with TAC if it is not working..

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Change Expired Password Over Wifi

I just resolved my problem.

 

We use Microsoft Direct Access in our environment and the probe that it sends to determine if the computer is on the network was failing because the WLAN firewall blocked it.  When the probe fails, Direct Access drops all corporate DNS requests, resulting in logon servers being inaccessible.  Creating a firewall rule to allow the DA probe fixed our issue.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: