Higher Education

 View Only
last person joined: 11 days ago 

Got questions on how to enable mobility in education? Submit them here!
Expand all | Collapse all

Users With Too Many Devices Keep getting Account locked

This thread has been viewed 36 times
  • 1.  Users With Too Many Devices Keep getting Account locked

    Posted Dec 06, 2021 12:28 PM
    We are seeing an influx of users having their accounts locked because of a wireless device trying to log into the wireless network with their username and password. These users will have input their username and password into so many devices, such as a kiosk ect. and when the time comes for them to renew their password, their account gets locked out and all their wireless devices will get locked out from connecting to the wireless. I know these are MS AD accounts and not a wireless issue. My question is: How is everyone else controlling this issue or similar?
    We get tickets to search through logs and ClearPass, trying to figure out what device is, locking the account.

    ------------------------------
    Scott Kirkland
    ------------------------------


  • 2.  RE: Users With Too Many Devices Keep getting Account locked

    MVP EXPERT
    Posted Dec 06, 2021 12:39 PM
    What about certificate based authentication (EAP-TLS)?

    ------------------------------
    Marcel Koedijk | MVP Guru 2021 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
    ------------------------------



  • 3.  RE: Users With Too Many Devices Keep getting Account locked

    Posted Dec 07, 2021 04:43 AM
    You really should not use your AD password for wireless authentication, especially not when users enter it into devices as it's really hard to get the configuration done right and eliminate the risk that clients share the entered credentials with a rogue AP. If the AD account is used for other purposes, there is a big risk here. Avoid PEAP and EAP-TTLS wherever you can; use client certificates and EAP-TLS instead.

    I think you can disable/relax the password lockout for certain devices, like your RADIUS server, but it's better to plan to move away from password authentication.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: Users With Too Many Devices Keep getting Account locked

    Posted Dec 07, 2021 12:08 PM
    Herman, can you recommend a good guide for planning and implementing EAP-TLS in the aruba world? Especially something that would explain how EAP-TLS and mpsk can work together to provide certificate-based security for people's devices (computers, phones, tablets, etc) and key-based security for IOT devices?

    I'm especially trying to understand what needs to be updated and in what order so that we can get from where we are to where we want to be.

    (As I posted on another thread: 

    The longer-range plan is to make fairly radical changes -- I'm brand new here, and am dealing with an interlocking set of broken things which have to be fixed in order...

    We want to use mpsk, but have been told we need to upgrade off of 8.3 to implement it. We have 135 AP-105Hs in dorms that can't be updated, so I'm in the process of planning to replace those with 205Hs off of ebay (the out-of-cycle refresh of 30% of our installed APs is a budget killer!)

    When our aruba partner implemented eduroam 3 years ago, they got the SP to work but didn't understand what the IdP was supposed to do and never realized that it's not set up at all. I'm trying to learn enough about it so that I can get the IdP working without breaking the SP, and I already know that I want to use eap-tls. 

    Every side-by-side comparison will tell you that implementing client certificates are a huge complicated thing, but I'm thinking that any process that works reliably is infinitely less complicated than this frustrating mess.)



    ------------------------------
    Cathy Fasano
    ------------------------------



  • 5.  RE: Users With Too Many Devices Keep getting Account locked

    Posted Dec 07, 2021 03:50 PM
    Herman,
    Does this video cover what you're talking about? https://community.arubanetworks.com/browse/articles/blogviewer?blogkey=36eadb25-9eec-49c1-8c08-039dc6e61b06

    ------------------------------
    Scott Kirkland
    ------------------------------



  • 6.  RE: Users With Too Many Devices Keep getting Account locked

    Posted Dec 10, 2021 09:11 AM
    Yes, however here is a more recent version of that videos.

    And if you want to use Windows Server Group Policies and the Windows Certificate Services, this video is an absolute recommendation as it also covers the Windows side in more detail.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------