01-26-2016 02:13 AM
When you have caching enabled on AD authentication source, does it cache the password/password hash at all, or is the password checked against the AD every time a user authenticates towards a Radius service on the clearpass? (typically eap-peap)
I know group memberships and Authorization data is cached, but unsure about passwords.
Now regarding EAP-TLS authentification to wireless network. As I understand, the user account password is never part of the authentication exchange. Authentication is achived by verifing the key-pairs of the configured certificates, and the AD user account password is never exposed in the auth request to the 802.11x SSID. The EAP-TLS wireless would then never be responsible for a locked out windows account (to many failed auth attempts).
It is very clear to me that is have to work in a BYOD clearpass onboard deployment, but is that always the case even when windows domain computers are configured to use EAP-TLS?
Solved! Go to Solution.
01-26-2016 03:58 AM
Passwords are not cached. Authorization can optionally do a lookup via LDAP to see if the username on the EAP-TLS certificate is still in AD to make sure the user has not been locked out or account disabled.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
01-26-2016 04:02 AM
And I am correct in saying that the password is never exposed during EAP-TLS authentication?
Even on domain windows computers the password is not part of the auth exchange.
01-26-2016 04:11 AM