Security

last person joined: 20 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass - Web-based way to change password for AD user account like guest Self Service Portal

  • 1.  ClearPass - Web-based way to change password for AD user account like guest Self Service Portal

    Posted Jan 25, 2018 10:13 AM

    Hi all,

     

    Is it possible to configure Clearpass to provide to the users a web-based way to change their account credentials when password expiration occours or when admins force a password change for next login?

     

    Something like guest Self Service Portal or captive portal, but for Active Directory users domain.

     

    The feature could be particularly usefull in Active Directory environment integration, for users/clients not joined to corporate domain (externals, consultants, suppliers), that need to change their password, especially for VPN accesses.

    Then Clearpass could change the password on AD using proper authentication source (LDAP, AD join, ecc.).


    many thanks,

    Andrea



  • 2.  RE: ClearPass - Web-based way to change password for AD user account like guest Self Service Portal

    Posted Jan 25, 2018 10:29 AM

    No, a ClearPass web form cannot change a password in an external identity store.



  • 3.  RE: ClearPass - Web-based way to change password for AD user account like guest Self Service Portal

    Posted Jan 25, 2018 10:40 AM

    Thanks Tim for your fast replay,

     

    alternatively, does CPPM support password change using MSCHAPv2?

    I'm thinking about following VPN scenario, where VPN client & server support password change, when password expiration condition occours:

     

    VPN Server <-- Radius mschapv2--> CPPM <-- LDAP--> AD/LDAP Server

     

    thanks,

    Andrea

     

     



  • 4.  RE: ClearPass - Web-based way to change password for AD user account like guest Self Service Portal

    Posted Jan 25, 2018 11:00 AM

    Yes, that should work at the protocol level.



  • 5.  RE: ClearPass - Web-based way to change password for AD user account like guest Self Service Portal

    Posted Jan 25, 2018 12:42 PM

    Hi Tim,

     

    I tried to configure a service for VPN access on-the-fly on my lab, but It seams doesn't work.

     

    CPPM joined to AD.

    LDAP Bing user works and has AD admin rights.

    VPN client/server (Cisco AntConnect & Cisco ASA) supports for sure password change, I already successful tested with Microsoft NPS Radius.

    I forced password change to the test account.

     

    When I try the VPN access I get following error logs

    immagine.png

    CPPM configurations (service and auth source) are very basic and simple.

    Without password change, authentication passes.

     

    Any suggestions?

     

    thanks

    Andrea

     



  • 6.  RE: ClearPass - Web-based way to change password for AD user account like guest Self Service Portal

    Posted Jan 25, 2018 01:00 PM

    Please confirm you're using EAP-MSCHAPv2?

     

    PAP does not support password change.



  • 7.  RE: ClearPass - Web-based way to change password for AD user account like guest Self Service Portal

    Posted Jan 25, 2018 01:07 PM

    Hi Tim,

     

    I'm using MSCHAPv2 not EAP-MSCHAPv2.

    The context is VPN access not dot1x access.

     

    Thanks,

    Andrea



  • 8.  RE: ClearPass - Web-based way to change password for AD user account like guest Self Service Portal

    Posted Nov 02, 2018 10:54 AM

    Hi Tim,

    using EAP-PEAP,EAP-MSCHAPv2 the password changing works but with error on client side. When the client set new password this happens:

    2018-11-02 15:31:02,921[Th 1 Req 19172 SessId R00000ae1-01-5bdc5fa6] ERROR RadiusServer.Radius - rlm_mschap: Password must be changed.
    2018-11-02 15:31:02,921[Th 1 Req 19172 SessId R00000ae1-01-5bdc5fa6] INFO RadiusServer.Radius - MS-Chap User Authentication time = 3 ms
    2018-11-02 15:31:02,921[Th 1 Req 19172 SessId R00000ae1-01-5bdc5fa6] INFO RadiusServer.Radius - rlm_eap_mschapv2: Sending MSCHAPv2 Password Change reply
    2018-11-02 15:31:02,921[Th 1 Req 19172 SessId R00000ae1-01-5bdc5fa6] INFO RadiusServer.Radius - reqst_update_state: Access-Challenge 7:135:CID:AOIAHABgAIHkSgAARxF0XGyPh8x8v04avdQS1Q==
    2018-11-02 15:31:02,923[Th 3 Req 19173 SessId R00000ae1-01-5bdc5fa6] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "PAN GlobalProtect" - 8:747:CID
    2018-11-02 15:31:02,924[Th 3 Req 19173 SessId R00000ae1-01-5bdc5fa6] INFO RadiusServer.Radius - rlm_service: The request was categorized into service "PAN GlobalProtect" - 229:0:CID
    2018-11-02 15:31:02,924[Th 3 Req 19173 SessId R00000ae1-01-5bdc5fa6] INFO RadiusServer.Radius - rlm_mschap: MSCHAPv2 username used for challenge computation fabiou
    2018-11-02 15:31:02,924[Th 3 Req 19173 SessId R00000ae1-01-5bdc5fa6] INFO RadiusServer.Radius - rlm_mschap: Using domain LW from objectSid attribute
    2018-11-02 15:31:02,924[Th 3 Req 19173 SessId R00000ae1-01-5bdc5fa6] INFO RadiusServer.Radius - rlm_mschap: Changing password of user fabiou, domain LW.
    2018-11-02 15:31:03,417[Th 3 Req 19173 SessId R00000ae1-01-5bdc5fa6] INFO RadiusServer.Radius - rlm_mschap: Password Change succeeded.
    2018-11-02 15:31:03,417[Th 3 Req 19173 SessId R00000ae1-01-5bdc5fa6] INFO RadiusServer.Radius - rlm_mschap: Using domain LW from objectSid attribute
    2018-11-02 15:31:03,417[Th 3 Req 19173 SessId R00000ae1-01-5bdc5fa6] INFO RadiusServer.Radius - rlm_mschap: authenticating user fabiou, domain LW
    2018-11-02 15:31:03,459[Th 3 Req 19173 SessId R00000ae1-01-5bdc5fa6] INFO RadiusServer.Radius - rlm_mschap: user fabiou authentication failed
    2018-11-02 15:31:03,459[Th 3 Req 19173 SessId R00000ae1-01-5bdc5fa6] ERROR RadiusServer.Radius - rlm_mschap: AD status:Logon failure (0xc000006d)
    2018-11-02 15:31:03,459[Th 3 Req 19173 SessId R00000ae1-01-5bdc5fa6] INFO RadiusServer.Radius - MS-Chap User Authentication time = 535 ms
    2018-11-02 15:31:03,459[Th 3 Req 19173 SessId R00000ae1-01-5bdc5fa6] ERROR RadiusServer.Radius - rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

    It seems that after the password has been changed, an second authentication (probably an internal validation because no user interaction occurs) not working.

    Is CPPM cached previous credential ???

    Any Idea??



  • 9.  RE: ClearPass - Web-based way to change password for AD user account like guest Self Service Portal

    Posted Feb 26, 2020 03:47 PM

    So is it possible for domain users to change their password if they expire, if so ow is it done