Is it possible to configure Clearpass to provide to the users a web-based way to change their account credentials when password expiration occours or when admins force a password change for next login?
Something like guest Self Service Portal or captive portal, but for Active Directory users domain.
The feature could be particularly usefull in Active Directory environment integration, for users/clients not joined to corporate domain (externals, consultants, suppliers), that need to change their password, especially for VPN accesses.Then Clearpass could change the password on AD using proper authentication source (LDAP, AD join, ecc.).
No, a ClearPass web form cannot change a password in an external identity store.
Thanks Tim for your fast replay,
alternatively, does CPPM support password change using MSCHAPv2?
I'm thinking about following VPN scenario, where VPN client & server support password change, when password expiration condition occours:
VPN Server <-- Radius mschapv2--> CPPM <-- LDAP--> AD/LDAP Server
Yes, that should work at the protocol level.
I tried to configure a service for VPN access on-the-fly on my lab, but It seams doesn't work.
CPPM joined to AD.
LDAP Bing user works and has AD admin rights.
VPN client/server (Cisco AntConnect & Cisco ASA) supports for sure password change, I already successful tested with Microsoft NPS Radius.
I forced password change to the test account.
When I try the VPN access I get following error logs
CPPM configurations (service and auth source) are very basic and simple.
Without password change, authentication passes.
Please confirm you're using EAP-MSCHAPv2?
PAP does not support password change.
I'm using MSCHAPv2 not EAP-MSCHAPv2.
The context is VPN access not dot1x access.
using EAP-PEAP,EAP-MSCHAPv2 the password changing works but with error on client side. When the client set new password this happens:
It seems that after the password has been changed, an second authentication (probably an internal validation because no user interaction occurs) not working.
Is CPPM cached previous credential ???
So is it possible for domain users to change their password if they expire, if so ow is it done
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.