Wireless Access

We have a 802.1x network that authenticates to Active Directory  and we make users change their passwords every 6 months. 

I was approached by my Boss and was informed that when it is password changing time that it is cumbersome for users to update their connection (especially on Apple products). Most have to forget the network and rejoin.   

I have looked around and it seems that is the normal process. Does anyone have any way to make this easier?




------------------------------
Gary French
------------------------------

That is a tough one.  AFAIK, unfortunately, when your password is changed, and your i-device has the old password, it will try until it locks you out, or Apple will stop trying to connect altogether.

The more long-term way to deal with this is to distribute eap-tls certificates that would not be subject to password changes (only to certificate revocations).  That would be provided with Clearpass and  Onboard, or some other third-party portal that would be able to distribute certificates to IOS devices...

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Sep 30, 2021 11:06 AM
From: Gary French
Subject: Password changes

We have a 802.1x network that authenticates to Active Directory  and we make users change their passwords every 6 months. 

I was approached by my Boss and was informed that when it is password changing time that it is cumbersome for users to update their connection (especially on Apple products). Most have to forget the network and rejoin.   

I have looked around and it seems that is the normal process. Does anyone have any way to make this easier?




------------------------------
Gary French
------------------------------

CJoseph,

Thanks for your comment....I agree and just wanted to see if anybody found a different way to handle that.

------------------------------
Gary French
------------------------------

Original Message:
Sent: Sep 30, 2021 07:34 PM
From: Colin Joseph
Subject: Password changes

That is a tough one.  AFAIK, unfortunately, when your password is changed, and your i-device has the old password, it will try until it locks you out, or Apple will stop trying to connect altogether.

The more long-term way to deal with this is to distribute eap-tls certificates that would not be subject to password changes (only to certificate revocations).  That would be provided with Clearpass and  Onboard, or some other third-party portal that would be able to distribute certificates to IOS devices...

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Sep 30, 2021 11:06 AM
From: Gary French
Subject: Password changes

We have a 802.1x network that authenticates to Active Directory  and we make users change their passwords every 6 months. 

I was approached by my Boss and was informed that when it is password changing time that it is cumbersome for users to update their connection (especially on Apple products). Most have to forget the network and rejoin.   

I have looked around and it seems that is the normal process. Does anyone have any way to make this easier?




------------------------------
Gary French
------------------------------

I would rather say: don't use AD password to access the wireless. The protocols used for that, PEAP-MSCHAPv2 / EAP-TTLS solely depend for their security on the client configuration to not connect to any untrusted SSIDs. It is close to trivial to either retrieve the password or credentials to impersonate the user (the NT Hash of the password). With those credentials, an AD account typically gives access to many other applications like webmail or domain computers and are a 'perfect' start to an attack to your network and data. And users will probably click ok to bypass a trust warning and put their credentials, and your network at risk.

The only secure method that I'm aware of is to move to EAP-TLS or other authentication methods that use client certificates.

Using client certificates instead of passwords also solves your issue of password changes as the password is no longer used.

If you don't care so much about the security of your network access, like if it is internet only, then use a secondary, decoupled from AD password, that if the password leaks, you don't have the AD credentials leaked, and as a bonus an expired password will not reach your AD and not cause an account lock.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 30, 2021 11:06 AM
From: Gary French
Subject: Password changes

We have a 802.1x network that authenticates to Active Directory  and we make users change their passwords every 6 months. 

I was approached by my Boss and was informed that when it is password changing time that it is cumbersome for users to update their connection (especially on Apple products). Most have to forget the network and rejoin.   

I have looked around and it seems that is the normal process. Does anyone have any way to make this easier?




------------------------------
Gary French
------------------------------

Herman,
Thanks for the reply.  I like your perspective on the whole situation and am looking into client certs but for the time being this is what I have.

p.s. I really like your video series.

------------------------------
Gary French
------------------------------

Original Message:
Sent: Oct 02, 2021 06:31 AM
From: Herman Robers
Subject: Password changes

I would rather say: don't use AD password to access the wireless. The protocols used for that, PEAP-MSCHAPv2 / EAP-TTLS solely depend for their security on the client configuration to not connect to any untrusted SSIDs. It is close to trivial to either retrieve the password or credentials to impersonate the user (the NT Hash of the password). With those credentials, an AD account typically gives access to many other applications like webmail or domain computers and are a 'perfect' start to an attack to your network and data. And users will probably click ok to bypass a trust warning and put their credentials, and your network at risk.

The only secure method that I'm aware of is to move to EAP-TLS or other authentication methods that use client certificates.

Using client certificates instead of passwords also solves your issue of password changes as the password is no longer used.

If you don't care so much about the security of your network access, like if it is internet only, then use a secondary, decoupled from AD password, that if the password leaks, you don't have the AD credentials leaked, and as a bonus an expired password will not reach your AD and not cause an account lock.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Sep 30, 2021 11:06 AM
From: Gary French
Subject: Password changes

We have a 802.1x network that authenticates to Active Directory  and we make users change their passwords every 6 months. 

I was approached by my Boss and was informed that when it is password changing time that it is cumbersome for users to update their connection (especially on Apple products). Most have to forget the network and rejoin.   

I have looked around and it seems that is the normal process. Does anyone have any way to make this easier?




------------------------------
Gary French
------------------------------

if you've got clearpass and you don't want to setup certificates, the other options you've got are using a separate Open SSID with Guest MAC caching for mobile devices. Most mobile apps are secured with SSL so when you consider if a mobile device needs full access with encryption the answer is often no. Setup a staff login page using AD account and let them use MAC Caching for a long interval (90 days / 180 days). When this expires users will just need to reauth to the captive portal using current AD password.

If security is a concern then the other option is to setup MPSK and have users enrol their devices using ClearPass Guest Device portal. 

This way each device can have a unique PSK and this will be independent of the AD user account. You can set the key to expire after whatever period suits and force the user to update or re-enroll the device. 

For corporate windows devices, keep them using PEAP-MSCHAP as the windows user profile will usually update when the password changes. otherwise you can switch to machine auth but then you lose the per user auth benefits. In any case If using MSCHAP just make sure you have your server validation enabled correctly which will prevent risk of credential disclosure (i.e. evil twin).

Certificates are the best option but you've got to consider how to get the certificate on the devices (i..e MDM / Onboard) which can be costly in a small environment or when considering personal devices. 

Scott,

Thank you so much for your input...I like the idea of the MPSK but would need to think through that one.

------------------------------
Gary French
------------------------------

Original Message:
Sent: Oct 03, 2021 03:43 PM
From: Scott Doorey
Subject: Password changes

if you've got clearpass and you don't want to setup certificates, the other options you've got are using a separate Open SSID with Guest MAC caching for mobile devices. Most mobile apps are secured with SSL so when you consider if a mobile device needs full access with encryption the answer is often no. Setup a staff login page using AD account and let them use MAC Caching for a long interval (90 days / 180 days). When this expires users will just need to reauth to the captive portal using current AD password.

If security is a concern then the other option is to setup MPSK and have users enrol their devices using ClearPass Guest Device portal. 

This way each device can have a unique PSK and this will be independent of the AD user account. You can set the key to expire after whatever period suits and force the user to update or re-enroll the device. 

For corporate windows devices, keep them using PEAP-MSCHAP as the windows user profile will usually update when the password changes. otherwise you can switch to machine auth but then you lose the per user auth benefits. In any case If using MSCHAP just make sure you have your server validation enabled correctly which will prevent risk of credential disclosure (i.e. evil twin).

Certificates are the best option but you've got to consider how to get the certificate on the devices (i..e MDM / Onboard) which can be costly in a small environment or when considering personal devices. 




------------------------------
Scott Doorey

Original Message:
Sent: Sep 30, 2021 11:06 AM
From: Gary French
Subject: Password changes

We have a 802.1x network that authenticates to Active Directory  and we make users change their passwords every 6 months. 

I was approached by my Boss and was informed that when it is password changing time that it is cumbersome for users to update their connection (especially on Apple products). Most have to forget the network and rejoin.   

I have looked around and it seems that is the normal process. Does anyone have any way to make this easier?




------------------------------
Gary French
------------------------------