Wireless Access

last person joined: 6 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Clearpass and AD Account Lockout

  • 1.  Clearpass and AD Account Lockout

    Posted Dec 03, 2014 11:02 AM

    One particular user is keep getting locked out from AD only when he is on wireless.



    2 7210 Controllers



    Symptom: The user logon into his laptop and connect to the network via wireless. On CPPM Asset Tracker, i can see him connected first as Machine Auth and afterward, User Auth. About 5 minutes later, I am seeing the laptop sending an Authenication request and being rejected by Clearpass due to BadPassword. His  laptop is doing this every minutes to the point where it lock out his AD account. I have updating the NIC driver and even put the user on 5 different laptops. It does the same thing from all of the 5 laptops. All the bad password attempt are coming from the Mac Address of the laptop that he is currently using at the time. 


    When we disabel his wireless NIC, we stop seeing attempt request (disable NIC for 4 hrs). As soon as we enable wireless again, we see the user get authenicate and connected to wireless successufully intially, but then 5-7 minutes later, he is getting rejected within Clearpass for bad password attempted every minutes and it won't stop until we disable his wireless NIC.


    Chan K.




  • 2.  RE: Clearpass and AD Account Lockout

    Posted Dec 03, 2014 12:53 PM

    Do you have a screenshot of the "Alert" tab in Access Tracker when the user is rejected?


  • 3.  RE: Clearpass and AD Account Lockout

    Posted Dec 03, 2014 01:44 PM
      |   view attached

    Attached is the "Alert" tab from the reject session. I know error code 216 is indicating bad password, but it's not.


    Chan K.


    Clearpass.pdf   116 KB 1 version

  • 4.  RE: Clearpass and AD Account Lockout

    Posted Dec 20, 2014 10:57 AM

    did you try removing his AD account and adding it again? does he perhaps have a weird character in the password?