Security

We use IAS radius authentication in our wireless network. And are having issues from time to time with users who have wireless devices( Ipad's, Iphones, laptops etc) which hold their AD login ID's and PW's. What is happening is when a password change happens not all the devices get the password changed and the users AD account gets locked out.

The IAS just says it is coming from the controller which doesn't help much.

Is there a way to track down where the device is trying to connect at with the information i have which is just the username they are trying to connect with?

Thanks...

The problem with non windows devices is that they cache the password and don't understand the Domain infrastructure to know to ask for an updated password. Instead they just keep retrying the password to connect to the SSID until it locks the account. The best way to solve the permanently i have found is to move to Certificate based authentication(EAP-TLS)

As for where the user is, you might be able to see their device in the Logon role in your user database, and from there you would see which AP they have associated with, which could give you a rough idea of where the user is.

If someone has any tips on how to manage username/passwords on a iOS device and prevent the lockout that would be great, as I know we have other customers who have this issue, and cannot move to certificate auth.

-ELiasz

There are a couple ways to deal with this (others may have better ways).

You can implement an authentication blacklist counter which will blacklist a device for failing authentication X times, which is 1 or 2 times less than it takes to lock out a Windows account.  The result is that device will not be allowed onto the network after failing 4 times, and not hitting the 6 that it takes the lock the account.  The device will be located under blacklisted clients.

All authentication failures are sent as an SNMP trap from the controller and you could monitor that output, or if you are using Airwave, it will collate and correlate all that information.

Thnaks for both your responses. Could you give details on how I could setup the client blacklist?

1.  You need to find the 802.1x profile that corresponds to that SSID and put a number in the "Max Authentication Failures Box".  Go to Configuration> Security> Authentication> L2 Authentication.  Click on 802.1x profile and find the one that corresponds to your SSID (click on "show references" if you are not sure which one).  Enter a number in the Max authentication failures box that matches how many times you want a user to fail before you blacklist him.

2.  You also need to go into the virtual AP profile and specify how long blacklisted users are kept off the network.  Go to Configuration> Wireless AP Configuration.  Find the AP-group that your access points are in and click on the "Edit" button to the right of it.  Expand Wireless Lan, Expand Virtual AP and find the Virtual AP that corresponds to your WLAN.  Click on that Virtual AP.  In the right pane Enable "Station Blacklisting" and put in a number of seconds in the "Authentication Failure Blacklist Time" to indicate how long you want those devices to be blacklisted.  By default it is 3600 seconds.

To monitor who is blacklisted, go into the Gui under Monitoring > Controller> Blacklist clients.  You can also type "show ap blacklist-clients" on the commandline.