02-05-2014 01:14 PM
So I set up an SSID and attached it to a RADIUS server. Everything works except one thing I am not sure about.
I wanted to test what happens when you change the password in AD, would it kick the user off their phones and other wireless devices or not?
The first time I tested it, it worked but when I tested it again the clients never got kicked off. Is there a way to specify when ARUBA checks the RADIUS server for credentials?
Solved! Go to Solution.
02-05-2014 02:29 PM - edited 02-05-2014 02:33 PM
for captive portal login
Re-authentication Interval (optional)
Time, in minutes, after which the client is required to reauthenticate. Enter a value between 0-4096. 0 disables reauthentication.
Default: 0 (disabled)
use re-auth option: (u can apply it on any
Select this option to force the client to do a 802.1x re-authentication after the expiration of the default timer for re-authentication. The default value of the timer (Reauthentication Interval) is 24 hours. If the user fails to re-authenticate with valid credentials, the state of the user is cleared.
If derivation rules are used to classify 802.1x-authenticated users, then the Re-authentication timer per role overrides this setting.
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
02-05-2014 02:42 PM
Are you using WPA2-enterprise 802.1X with EAP-PEAP MSCHAPv2?
If the password is changed in AD the user should also change it on his/her device. Depending on type of device this could mean the user has to "forget the network" and then re-configure it. This is one of the big down-sides of PEAP.
For BYOD deployments you should consider using ClearPass OnBoard which will provision a certificate on the device and from then on EAP-TLS is used.
If you have domain joined Windows devices you can just push down a GPO with the correct network settings and the users don't have to worry about changing their password on the 802.1X profile as well.
ACMX#255 | ACMP | ACCP | AWMP
02-05-2014 09:27 PM - edited 02-05-2014 09:29 PM
We are using radius with PEAP for our (BYOD) it's big hassle because everytime users change there password in AD which used to be every 90 days they would not delete the profile on their phones then cause the radius to lockout there account for 24 hours. This produces a lot of help desk calls. We are going to move to clearpass possibly this year. Also when users bring in windows 7 devices the default settings are setup for AD users but becuase they are not AD users on our network (BYOD) again the windows profile has to be configured not to verify the certificate, and not to use there local credentals from there home laptop. I suggest clearpass we had to go with radius because we didn't have the budget for it clearpass before but I'm hoping this year.