Wireless Access

Reply
Frequent Contributor II

AD password change with 802.1x authentication and wifi

How are you addressing the issue where a user changes their password in AD using their wired PC and then try to connect from a laptop with their old cached credentials?  More specifically - a user logs into their wired computer and are prompted to change their AD password.  They complete that process and are now logged into their wired computer and connected to AD.

 

Then they bootup their laptop and log into it with their old cached credential password and attempt to connect to the network via wireless (it's set to auto connect upon login and is set to use the user credentials from logging into the laptop).  They fail user authentication to the wireless network and are not able to get to any resources at that point. Need some way for them to be able to put in their new credentials.

 

One obvious way around that is to connect the laptop up wired and lock the laptop then provide the new credentials to unlock the laptop. Then they are able to connect to wireless using the new cached credentials.

Guru Elite

Re: AD password change with 802.1x authentication and wifi

Are you using machine authentication?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: AD password change with 802.1x authentication and wifi

in some environments, if the credentials are rejected due to invalid password, the devices are typically prompted to re-enter their credentials....

 

For my documentation, I typically have users remove their profile and re-do the entire thing, on iPhones/Androids primarily because I have seen the different OSs use the new credentials once, but not cache those, so next auth is rejected again... 

 

If the users ignore the message, well then then sometimes experience issues, as some devices don't re-prompt....

Frequent Contributor II

Re: AD password change with 802.1x authentication and wifi

Yes we are doing both machine and user auth.

 

Ian

Guru Elite

Re: AD password change with 802.1x authentication and wifi

When the device is machine authed at the login screen, it should prompt the
user for change their password or if they enter in fresh credentials, it
should check AD.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: AD password change with 802.1x authentication and wifi


istong wrote:

How are you addressing the issue where a user changes their password in AD using their wired PC and then try to connect from a laptop with their old cached credentials?  More specifically - a user logs into their wired computer and are prompted to change their AD password.  They complete that process and are now logged into their wired computer and connected to AD.

 

Then they bootup their laptop and log into it with their old cached credential password and attempt to connect to the network via wireless (it's set to auto connect upon login and is set to use the user credentials from logging into the laptop).  They fail user authentication to the wireless network and are not able to get to any resources at that point. Need some way for them to be able to put in their new credentials.

 

One obvious way around that is to connect the laptop up wired and lock the laptop then provide the new credentials to unlock the laptop. Then they are able to connect to wireless using the new cached credentials.


istong,

 

The best thing would be for them to log off, then attempt to log back in.  If they log off, machine authentication would take place, then they can do a "real" login to their laptop after.  Logging off then logging back in is faster than a reboot.  I hope you are not changing VLANs when the user and computer authenticate, otherwise it will break this process.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: AD password change with 802.1x authentication and wifi

Logging out and back in doesn't work.  Likely because we only set the authenticated role after you pass both machine and user auth.  Hence wondering what others do when faced with this issue.

 

Guru Elite

Re: AD password change with 802.1x authentication and wifi

We have a machine auth role that only allows access to domain controllers, dhcp, dns, and WSUS. This allows users to enter their new password or change it.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: AD password change with 802.1x authentication and wifi

Passong machine only authentication needs to have the authenticated role. Backend processes and a lot of long scripts cannot proceed unless you do this.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite

Re: AD password change with 802.1x authentication and wifi

machine-auth-cp.PNG

 

mach-auth-role.PNG

 

mach-auth-role_ad-login.PNG

 

mach-auth-role_win-mach-acl.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: