11-08-2013 12:47 AM
I might have asked this in the past but wanted to see if theres any new suggestions. Were using 802.1x for secure wireless and most of our mobile devices are iPads and iPhones. The problem we have is when a user changes AD password (every 90 days) and forgets to change the password on there iPad / Phone there AD account locks out after 3 attempts.
We have been using Aruba blacklisting after two failed attempts which works but means our helpdesk are now un blacklisting rather unlocking AD accounts which is not ideal. We also can't raise the amount of failed auth attempts before lockout as this is part of a bigger security issue.
It seems silly to me that IOS will keep polling with the wrong credenetials and doesnt just give up after failed auth. If other have come accross this and have any advice it would be much appreciated.
p.s. clearpass isnt an option for us due to cost.
11-08-2013 03:22 AM
That's Apple for you! I for one am looking forward to the day they come out of that ivory tower and play nice. Anyway...
If you're sure Clearpass isn't an option... :smileysad:
The most obvious answer is try a different supplicant. In the past I've been a fan of Juniper (Funk) Odyssey. It's good, but you'd have to test to make sure it worked against this (and it costs money). Also I hear good things about "wpa supplicant" which I believe is free?
Either of these might solve it, but you'd then have to work out how to distribute it to users...
Also, I have heard of Uni's writing scripts for Macs to clear out old creds. I don't have specifics on it though!
My love/hate view of Apple continues!
11-08-2013 05:02 AM
Can you bump up the 3 failed attempts number? For me, the mail app on the iPhone will prompt me for credentials when I cahnge my AD pasword. Not sure if iOS is still trying to use cached credentials or not. Might be an OWA setting? I am not a MS expert...just sharing my experience.
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
11-08-2013 05:06 AM
Thanks for the responses, the issue isnt with the mail app that will prompt for credentials but with the 802.1x for wifi that will just continue to try and authenitcate untll it either gets blacklisted by Aruba or locks out the AD account.
The 3 tries setting is part of our gloabl domain settings and wil affect wired and wireless, something we can not alter, besides puting it up to 10 it would still lock it out the account if the user doesnt change it as the 802.1x seems to just keep trying.
11-08-2013 05:29 AM
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
11-08-2013 06:50 AM
Do you have an internal PKI environment? If so, you could create certificates for your mobile devices. If you don't have ClearPass for Onboarding, it can be a bit cumbersome because you have to manually load the certificates over your guest networking and emailing the certificate to yourself or the mobile device owner. We did this for a while, it just doesn't scale well.
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.