Security

Reply
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

badPwdCount parameter in CPPM

In Clearpass, Authentication - Sources - <AD> 

When I browse to a certain user, it shows the badPwdCount is 4.

 

However, that users password has just been reset, and they have successfully logged in.

It's been over 2 hours, and it still has not reset.

The 'Clear Cache' button in CPPM didn't change anything either.

 

Where does CPPM get this information, and how often does it update it?

 

Thanks,

Tony

Guru Elite
Posts: 8,795
Registered: ‎09-08-2010

Re: badPwdCount parameter in CPPM

What is your cache timeout set to in your AD auth source?

 

auth-source-ad-cache.JPG

 

Also, can you use something like ADSIEdit to verify that the data is different in ClearPass vs AD?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: badPwdCount parameter in CPPM

Hi Tim:

Thanks, I had forgotten about adsiedit.

 

And that showed the issue. The badPwdCount for this user was different on different DC's. CPPM was reading it correctly.

 

That's odd, because repadmin showed that domain sync happened successfully a few minutes ago.

 

I know this is now a Microsoft question, but any ideas on what would cause that?

 

Thanks,

Tony

Search Airheads
Showing results for 
Search instead for 
Did you mean: