Security

Reply
Occasional Contributor II

ClearPass - Web-based way to change password for AD user account like guest Self Service Portal

Hi all,

 

Is it possible to configure Clearpass to provide to the users a web-based way to change their account credentials when password expiration occours or when admins force a password change for next login?

 

Something like guest Self Service Portal or captive portal, but for Active Directory users domain.

 

The feature could be particularly usefull in Active Directory environment integration, for users/clients not joined to corporate domain (externals, consultants, suppliers), that need to change their password, especially for VPN accesses.

Then Clearpass could change the password on AD using proper authentication source (LDAP, AD join, ecc.).


many thanks,

Andrea

Guru Elite

Re: ClearPass - Web-based way to change password for AD user account link guest Self Service Portal

No, a ClearPass web form cannot change a password in an external identity store.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: ClearPass - Web-based way to change password for AD user account link guest Self Service Portal

Thanks Tim for your fast replay,

 

alternatively, does CPPM support password change using MSCHAPv2?

I'm thinking about following VPN scenario, where VPN client & server support password change, when password expiration condition occours:

 

VPN Server <-- Radius mschapv2--> CPPM <-- LDAP--> AD/LDAP Server

 

thanks,

Andrea

 

 

Guru Elite

Re: ClearPass - Web-based way to change password for AD user account link guest Self Service Portal

Yes, that should work at the protocol level.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: ClearPass - Web-based way to change password for AD user account link guest Self Service Portal

Hi Tim,

 

I tried to configure a service for VPN access on-the-fly on my lab, but It seams doesn't work.

 

CPPM joined to AD.

LDAP Bing user works and has AD admin rights.

VPN client/server (Cisco AntConnect & Cisco ASA) supports for sure password change, I already successful tested with Microsoft NPS Radius.

I forced password change to the test account.

 

When I try the VPN access I get following error logs

immagine.png

CPPM configurations (service and auth source) are very basic and simple.

Without password change, authentication passes.

 

Any suggestions?

 

thanks

Andrea

 

Guru Elite

Re: ClearPass - Web-based way to change password for AD user account link guest Self Service Portal

Please confirm you're using EAP-MSCHAPv2?

 

PAP does not support password change.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: ClearPass - Web-based way to change password for AD user account link guest Self Service Portal

Hi Tim,

 

I'm using MSCHAPv2 not EAP-MSCHAPv2.

The context is VPN access not dot1x access.

 

Thanks,

Andrea

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: