There are multiple methods, depending on your requirements. Certificates are the only secure method, but most important to realize is that there are no secure password methods for WPA2-Enterprise/802.1X as the only security depends on the clients only trusting the server certificate and that is nearly impossible to do on unmanaged devices. For AD clients, or managed clients, enroll a client certificate and workaround all the issues with passwords.
If you really want to use passwords, you could consider using the Guest module in ClearPass to let your users self-sponsor an account for WPA2-Enterprise/802.1X with a longer active password, but the same issue is there that you cannot protect that password from being leaked by the client, unless you manage/control those clients. If you don't have that control, consider the credentials to be leaked and don't allow critical access, for just internet access it may be acceptable.
The best is to reach out to your Aruba partner and discuss the possibilities (and what to avoid) with your partner. It really depends on your requirements what is acceptable secure.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 13, 2021 09:44 AM
From: Jaco Janse van Rensburg
Subject: Clearpass - AD Integration - Password Change
So, is there no way to circumnavigate the issue without using certificates ?
------------------------------
Jaco Janse van Rensburg
Original Message:
Sent: Jul 13, 2021 07:09 AM
From: marcel koedijk
Subject: Clearpass - AD Integration - Password Change
Hi Jaco,
When using WPA2-Enterprise there a different authentication methods, this sound like you use EAP-PEAP MSCHAPv2 (with username/password) authentication. Username and password are saved in your WLAN profile (password hashed) on the client device. Therefore you need to forget the wlan profile when the password is changed. Some windows versions (but it depends on the version) will automatic ask for the new password. This is a (windows) operation system issue.
In fact EAP-PEAP MSCHAPv2 is deprecated and can easly lead to leak your AD credentials to hackers.
I would advise to user EAP-TLS certificated based authentication for best security and also will fix the "forget wifi ssid" issue.
If not possible, i would recommend to use EAP-PEAP MSCHAPv2 only with dedicated local user accounts and never AD accounts.
See also this youtube video of Herman for security concerns about MSCHAP. https://www.youtube.com/watch?v=50fO3j4NgyQ&t=33s
------------------------------
Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
Original Message:
Sent: Jul 13, 2021 03:52 AM
From: Jaco Janse van Rensburg
Subject: Clearpass - AD Integration - Password Change
Good Day.
I have a Clearpass deployment, where users get authenticated via AD.
AD is set up where users need to change their passwords every 30 days.
Every time this happens, on a mobile device, the client needs to forget the network, rejoin and enter the new credentials.
I am convinced this issue lies on the mobile device and not on Clearpass, unless I am missing something somewhere.
Any pointers in the right direction would be appreciated.
------------------------------
Jaco Janse van Rensburg
------------------------------