Wireless Access

Reply
Occasional Contributor II
Posts: 44
Registered: ‎08-10-2011

RADIUS/MSCHAPv2 password change on expiration via Captive Portal

[ Edited ]

Hi there,

 

we have some user groups (Microsoft Active Directory Users) who have only acces via a proprietary captive portal appliance. The user devices aren't domain members. These users gain access via an open/unecrypted WLAN (Aruba controller/Access Points).

 

We consider to replace this proprietary captive portal with either the integrated captive portal function on the mobility controllers or clearpass.

 

Question: Is there a way that these users are able to change their AD password via the captive portal page (in case of password expiration and the user has to change it). Let me write down the process at a very high level:

- User is redirected to captive portal login page

- User provides credentials

- Mobility Controller/RADIUS receives message from AD that the password it expired and the user has to change it

- Captive Portal Page informs the user that the password has expired

- Captive Portal Page provides a form the user can enter the old password (for validation) and the new password

- Mobility Controller/RADIUS changes the users password in AD

- User is either authenticated or has to provide the new password again to gain access

 

With the current proprietary solution this is possible. RADIUS and MSCHAPv2 supports password changes, see the FreeRADIUS v3 implementation as a reference: https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/doc/modules/mschap.rst#password-changes

 

It would be great if anybody could explain if this is possible with Aruba captive portals (slightly different solutions would help me also)

 

Thanks in advance,

Tobias

Valued Contributor II
Posts: 804
Registered: ‎12-01-2014

Re: RADIUS/MSCHAPv2 password change on expiration via Captive Portal

Hi,

 

I'm just curious to know why do you want to use Captive Portal for AD users ? CP is meant for Guest access.

 

if you want the same solution with CP. yes it should work. any way let me replicate the same in y lab and comeback to you.

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
Valued Contributor II
Posts: 804
Registered: ‎12-01-2014

Re: RADIUS/MSCHAPv2 password change on expiration via Captive Portal

Hi,

Yes . we can handle this in CPPM.

we have to pull the expiry date and time of password and compare with the current date and time, if the current date and time is greaterthan the expiry date and time then we have to change the role such that it will redirect another CP page and can display the information about the password expiry and can request the user to renew the password.

 

This is the only work around for you requirement.

 

Still if you are not clear or not able to configure, please feel free to open a TAC ticket to get it done.

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
Search Airheads
Showing results for 
Search instead for 
Did you mean: