Hi,
I am facing the following issue, i am unable to change password after the AD password expired.
We are doing PEAP-MsCHAPV2 without certificate validation. To get full access user and machine has to be authenticated.In clearpass, I have configured policies as follows:
1. if user belongs XYZ group and machine authenticated give full access role.
2. If user is authenticated give limited access role.
Because of the above policies, When machine is authenticated during log off . No role has been assigned. So i couldnt change the password when it is expired.
I am in thought of adding a policy to the above policies like "if machine is authenticated give limited access role". When i do this machine gets an ip address during ctrl+alt+del screen. But my query is , what has to be allowed for that role to change the password.
or else should i give full access role to machine authentication as when we logonto the system, we wont be able to connect to network until and unless we provide username and password.
Thanks
srikanth soogoor