Security

I'm investigating this issue, not yet sure whether it's due to ClearPass or a client-issue:

We use Windows Group Policies to push the configuration of known SSID's to our users. Our "normal" SSID can use the windows credentials in domain\user-format, but we also push settings for another network (eduroam) where the user has to enter its username and password in user@domain format. This works fine during initial configuration, but when the user changes his password, Windows doesn't prompt for the credentials. The user even can't change the password as the WLAN settings "are configured by your administrator", by using GPO's.

After changing the password, Clearpass answers with a REJECT:

MSCHAP: AD status:Logon failure (0xc000006d)

MSCHAP: Authentication failed

EAP-MSCHAPv2: User authentication failure

that's normal, but it doesn't seem to trigger Windows 10 to ask to re-enter his credentials. On Windows 7 it does.

We noticed this behavior quite recently, and we assume it used to work before... Maybe it's due to a recent update to Windows 10 (version 1709 + updates), maybe it's due to an upgrade of ClearPass (currently running 6.7.7).

 

Anyone else bumped into this as well? How is Windows 10 triggered to ask the user for (updated) credentials? Does this depend on the RADIUS response?

Are the clients logging into the computer with their domain credentials? if so, you can just say use windows username+password in the EAP-PEAP settings, i dont think you need to change your credentials after every password change then.

Yes, they're using their domain credentials, and that works fine for our internal SSID. For the other SSID, we can't use domain\username (which is how Windows passes the credentials) but we need user@domain.

The issue we have is with this other type: "eduroam" is a global network of roaming between educational institutions where the user@domain form is needed to look up the domain where the user needs to be authenticated.

Check Clear/Forget Password form windows 10 client machine. Windows don't recognize  password change even if its  AD  

That doesn't work as this network is pushed to the client machine using group policies. We're pushing the settings like WPA2, AES, PMK TTL, trusted root certificate,... but the user's credentials should be changeable and the user should be prompted for (new) credentials when the saved credentials don't work. But the user is only prompted for credentials the first time he connects.

In Windows 7 this works flawless, so I assume it's more a Windows-issue than a ClearPass-issue.

l am also seeing this issue pop up as well, but not only on Windows 10 but also MacOS.  One of our tier 1 guys recently brought this to my attention and I have not been able to find a whole lot of information on it thus far.  All I know is that it started recently and I am trying to get him to get me a timeline or "patient zero" so we can try to track it back to something that happened.

 

We use ClearPass for dot1x wireless authentication in this site and have been for over 4 months now.  Right after the cutover there were no issues.

 

The other day I changed my own Win10 laptop password to try to replicate the issue.  As soon as I changed it I disconnected and reconnected to our dot1x wifi signal just fine.  No issues at all.

 

Today I come back into the office after working from home and I find I'm getting a "Cannot connect to this network" error message.  I had to forget the SSID and re-enter my credentials.  I did notice however that the check mark box to use the Windows domain credentials was not something I could click anymore.  I have to manually enter them, which may lead to caching them locally on the device instead of using an updated credential?

 

The same thing appears to have on MacOS, giving us an "Incorrect Password" error, and the solution appears to be the same - forget the network and re-enter credentials.  This is obviously cumbersome and costs man hours that we'd like to spend elsewhere.

This appears related to WIndows 10 Credential Guard.

 

Disabling this allowed us to use the Windows user logon option again.

That's not my issue, my issue is the other way around: NOT asking for credentials after the user changes his password, and thus keep trying authenticating with a cached, wrong, password.

 

But it seems to be a Windows 10-issue, as described by GrandmasterPhil in https://social.technet.microsoft.com/Forums/en-US/c6f1c3bf-1dc7-4879-8857-0c8356607699/no-prompt-for-wireless-password-after-ad-password-changed?forum=win10itpronetworking

I'm having the same issue aswell for eduroam. But only on some computers it seems. Which is strange.

 

So there is no solution ?

Our solution was to change the Group Policy setting to "Cache user information for subsequent connections to this network => Disabled ".

Users will need to re-enter their credentials every time they connect to the network, but as this is not their primary network, we take that disadvantage over the blocking of caching the wrong cedentials.

Ok, thanks if we encounter more clients with this issue I think this would be our solution aswell. 

I am currently experiencing this same issue with android devices only. This is what I have:

- Aruba IAP with CPPM

- Advertising a corp SSID

- Users connect with their personal devices and are dropped into the non corp network. 

When users change their AD password, it does not prompt them to change it on the Android device. This results in their AD account being locked out as they have too many unsuccessful authentications. Is there any way Andoird devices can be prompted to tell users to update their password. IOS users are prompted to change their passwords. Also, this seems to be a recent change in Android, but I am not sure when or why this was introduced. 

Is it possible to configure something on the IAP or CPPM that prompts android users to update their password?
Is this Android normal behaviour?
IS there something we can configure on the android device for this behaviour?

thanks in advance. 

------------------------------
Inzamam Shahid
------------------------------

Original Message:
Sent: Mar 05, 2019 08:08 AM
From: Johan Le Maire
Subject: User changed password, authentication fails but Win10 doesn't prompt

Our solution was to change the Group Policy setting to "Cache user information for subsequent connections to this network => Disabled ".

Users will need to re-enter their credentials every time they connect to the network, but as this is not their primary network, we take that disadvantage over the blocking of caching the wrong cedentials.

It is deprecated to use company credentials for username/password authentication on PEAP or TTLS authentication as through man-in-the-middle attacks the credentials are easy to obtain if the client is not 100% controlled. EAP-TLS is recommended, and also solves your password lockout problem.

Then, yes it is expected that most clients will just retry authentication in PEAP and potentially lock out an account. One option in Instant is to use the Blacklist feature:


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Dec 30, 2020 10:06 AM
From: Inzamam Shahid
Subject: User changed password, authentication fails but Win10 doesn't prompt

I am currently experiencing this same issue with android devices only. This is what I have:

- Aruba IAP with CPPM

- Advertising a corp SSID

- Users connect with their personal devices and are dropped into the non corp network. 

When users change their AD password, it does not prompt them to change it on the Android device. This results in their AD account being locked out as they have too many unsuccessful authentications. Is there any way Andoird devices can be prompted to tell users to update their password. IOS users are prompted to change their passwords. Also, this seems to be a recent change in Android, but I am not sure when or why this was introduced. 

Is it possible to configure something on the IAP or CPPM that prompts android users to update their password?
Is this Android normal behaviour?
IS there something we can configure on the android device for this behaviour?

thanks in advance. 

------------------------------
Inzamam Shahid

Original Message:
Sent: Mar 05, 2019 08:08 AM
From: Johan Le Maire
Subject: User changed password, authentication fails but Win10 doesn't prompt

Our solution was to change the Group Policy setting to "Cache user information for subsequent connections to this network => Disabled ".

Users will need to re-enter their credentials every time they connect to the network, but as this is not their primary network, we take that disadvantage over the blocking of caching the wrong cedentials.

Hi,

What is your ClearPass version?
You may try upgrading the ClearPass servers to 6.8.8 or 6.9.4 and check if the below change in password prompt behaviour helps.

From 6.8.8 release notes:

*

Policy Manager now retries PEAP/EAP-MSCHAPv2 failed authentications, as defined in EAP-MSCHAPv2 RFC. When a failed authentication is retried, the supplicant correctly prompts for the new password, and the network SSID does not need to be edited. If the supplicant does not support MSCHAPv2 retries, then the Access Tracker will show the request as TIMEOUT. (CP‑36406, CP‑40488)

*

Policy Manager will now only send an MSCHAP-error login retry option and password prompt in the case of a Logon Failure error or Wrong Password error. A retry is not allowed for any other error. (CP‑38491, CP‑40078)

------------------------------
Saravanan Rajagopal
------------------------------

Original Message:
Sent: Dec 30, 2020 10:06 AM
From: Inzamam Shahid
Subject: User changed password, authentication fails but Win10 doesn't prompt

I am currently experiencing this same issue with android devices only. This is what I have:

- Aruba IAP with CPPM

- Advertising a corp SSID

- Users connect with their personal devices and are dropped into the non corp network. 

When users change their AD password, it does not prompt them to change it on the Android device. This results in their AD account being locked out as they have too many unsuccessful authentications. Is there any way Andoird devices can be prompted to tell users to update their password. IOS users are prompted to change their passwords. Also, this seems to be a recent change in Android, but I am not sure when or why this was introduced. 

Is it possible to configure something on the IAP or CPPM that prompts android users to update their password?
Is this Android normal behaviour?
IS there something we can configure on the android device for this behaviour?

thanks in advance. 

------------------------------
Inzamam Shahid

Original Message:
Sent: Mar 05, 2019 08:08 AM
From: Johan Le Maire
Subject: User changed password, authentication fails but Win10 doesn't prompt

Our solution was to change the Group Policy setting to "Cache user information for subsequent connections to this network => Disabled ".

Users will need to re-enter their credentials every time they connect to the network, but as this is not their primary network, we take that disadvantage over the blocking of caching the wrong cedentials.