I would rather say: don't use AD password to access the wireless. The protocols used for that, PEAP-MSCHAPv2 / EAP-TTLS solely depend for their security on the client configuration to not connect to any untrusted SSIDs. It is close to trivial to either retrieve the password or credentials to impersonate the user (the NT Hash of the password). With those credentials, an AD account typically gives access to many other applications like webmail or domain computers and are a 'perfect' start to an attack to your network and data. And users will probably click ok to bypass a trust warning and put their credentials, and your network at risk.
The only secure method that I'm aware of is to move to EAP-TLS or other authentication methods that use client certificates.
Using client certificates instead of passwords also solves your issue of password changes as the password is no longer used.
If you don't care so much about the security of your network access, like if it is internet only, then use a secondary, decoupled from AD password, that if the password leaks, you don't have the AD credentials leaked, and as a bonus an expired password will not reach your AD and not cause an account lock.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 30, 2021 11:06 AM
From: Gary French
Subject: Password changes
We have a 802.1x network that authenticates to Active Directory and we make users change their passwords every 6 months.
I was approached by my Boss and was informed that when it is password changing time that it is cumbersome for users to update their connection (especially on Apple products). Most have to forget the network and rejoin.
I have looked around and it seems that is the normal process. Does anyone have any way to make this easier?
------------------------------
Gary French
------------------------------