Security

I'll be curious to hear what the solution is as right now our users have to connect wired to get around that issue.

---

@srikanthsoogoor wrote:

Hi,

 

I am facing the following issue, i am unable to change password after the AD password expired.

 

We are doing PEAP-MsCHAPV2 without certificate validation. To get full access user and machine has to be authenticated.In clearpass, I have configured policies as follows:

 

1. if user belongs XYZ group and machine authenticated  give full access role.

2. If user is authenticated give limited access role.

 

 

Because of the above policies, When machine is authenticated during log off . No role has been assigned. So i couldnt change the password when it is expired.

 

I am in thought of adding a policy to the above policies like "if machine is authenticated give limited access role". When i do this machine gets an ip address during ctrl+alt+del screen. But my query is , what has to be allowed for that role to change the password.

 

or else should i give full access role to machine authentication as when we logonto the system, we wont be able to connect to network until and unless we provide username and password.

 

 

Thanks

srikanth soogoor

---

If a device has machine authenticated, give it full access.  At that point the machine is at the ctrl-alt-delete screen and needs to do specific things in the background like group policy updates and not allowing all access blocks it.  If the device then fails user authentication, it will not be able to connect.

Hi all,

I have a query regarding above issue, When wifi is on machine gets authenticated and stored in clear pass machine cache(We set it to 10 days).in And gets user authenticated after he logs in. He gets the full access role.

What happens if wifi is off during login. He logs in with cached credentials which are expired in domain. User will on wifi and tries to connect then user wont get authenticated. But machine is authenticated which checks in cache. Will it get any ip address from machine authenticated role. or else as user authentication is failed it wont connect to SSID? how its going to work??

If your client is configured for "Computer Only" or "Machine Only" authentication, a user will be able to get into their computer with cached credentials and change their password.  If you are doing "user and computer" authentication, and the user starts on the wifi at the ctrl-alt-delete screen, the laptop should be able to tell the user that their password is expiring and allow them to change it.  If you are doing "user and computer" authentication, and the computer permits the user to login with a cached and expired password, the wireless will not let them onto the network to change it, because they would not have a valid ip address.

ok.

You mean to say that, if is wifi is off during ctrl+alt+del screen and gets into computer with cached credentials which are expired . As authentication fails it wont get any ip address to change.

And if wifi is on during ctrl+alt+del, machine gets authenticated and it gets an ip address to communicate with domain controller and DC wont allow to login if the password is expired. If it allows login with valid credentials obviously they will be able to connect wifi.

Now, Can i assign same full access role to both machine authenticated and user authenticated.

Like

If user authenticated & user belongs to XYZ group and machine authenticated  [full access role]

If user authenticated                                                                                                          [pre provisioning role]

If machine authenticated                                                                                                  [full access role]---so that it can communicate with                                                                                                                                               DC and update GPO as you said earlier

But with above polices,as machine authenticated is in cache. If user logs in expired credentials with wfi off .user wont get authenticated. But machine authentication is done so policy manager may asisgn machine authenticated role ri8???

In the user context, a user must pass authentication to get an ip address.  The radius server will only send back a reject upon failed user authentication EVEN after passed machine authentication.  There is no way around this.

After a laptop has entered the user context, it will no longer send machine credentials for connectivity.  User credentials are required when in the user context and the connection will drop if the user fails even after successful machine authentication.

---

@cjoseph wrote:

In the user context, a user must pass authentication to get an ip address.  The radius server will only send back a reject upon failed user authentication EVEN after passed machine authentication.  There is no way around this.

 

After a laptop has entered the user context, it will no longer send machine credentials for connectivity.  User credentials are required when in the user context and the connection will drop if the user fails even after successful machine authentication.

---

can i apply the enforcement rules which i mentioned in the previous post and the order???

---

@srikanthsoogoor wrote:

---

@cjoseph wrote:

In the user context, a user must pass authentication to get an ip address.  The radius server will only send back a reject upon failed user authentication EVEN after passed machine authentication.  There is no way around this.

 

After a laptop has entered the user context, it will no longer send machine credentials for connectivity.  User credentials are required when in the user context and the connection will drop if the user fails even after successful machine authentication.

---

can i apply the enforcement rules which i mentioned in the previous post and the order???

 

 

---

No, because you can only apply enforcement rules with a successful 802.1x authentication.  Enforcement Policies are not executed with failed authentication in 802.1x