Security

Reply
Contributor II

Re: AD password change after expiration over wi-fi

What is the possible way for computer to communicate with DC during logon screen if i dont assign a role to it. How does domain controller checks whether user is using valid credentials to enter into machine which is part of domain like LAN until and unless it as an ip address during logon screen after machine authentication.Without ip address how will computer understands from DC that password is expired or it has to be changed..

 

can you please suggest how to write rules in my scenario

Guru Elite

Re: AD password change after expiration over wi-fi


@srikanthsoogoor wrote:

What is the possible way for computer to communicate with DC during logon screen if i dont assign a role to it. How does domain controller checks whether user is using valid credentials to enter into machine which is part of domain like LAN until and unless it as an ip address during logon screen after machine authentication.Without ip address how will computer understands from DC that password is expired or it has to be changed..

 

can you please suggest how to write rules in my scenario


I cannot suggest rules.  I can only suggest a strategy:

 

Make sure you have it configured in group policy to warn users 5 days before their password expires.  They will get the change notification over wireless.  If they do not change it they will be locked out until they plug into the wired network.  That is the best strategy to have.  If a user allows his/her password to expire, even after they get a warning, it will be painful..

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor II

Re: AD password change after expiration over wi-fi

ok i got it.

 

The problem is over wifi, clients are logging in using cached credentials where the credentials are not checked during logging in against domain controller even wifi is on as no role has ben assigned for machine authentication in clear pass.So client is thrown out of network  if password is expired where he wouldnt be able to change Password  during ctrl+del+screen

 So i thought of stopping the users logging in with cached credentials by assigning a role when machine authentication is done.If i assign a role it will get ip address. So that it machine can check against domain controller and they will be able to get into machine with valid credentials and no hiccups in connecting to wifi as we use windows logon username for authentication.

 

 

Highlighted
Guru Elite

Re: AD password change after expiration over wi-fi


@srikanthsoogoor wrote:

ok i got it.

 

The problem is over wifi, clients are logging in using cached credentials where the credentials are not checked during logging in against domain controller even wifi is on as no role has ben assigned for machine authentication in clear pass.So client is thrown out of network  if password is expired where he wouldnt be able to change Password  during ctrl+del+screen

 So i thought of stopping the users logging in with cached credentials by assigning a role when machine authentication is done.If i assign a role it will get ip address. So that it machine can check against domain controller and they will be able to get into machine with valid credentials and no hiccups in connecting to wifi as we use windows logon username for authentication.

 

 


Unfortunately, that would complicate things.  Computers need to have full access to the network when at the ctrl-alt-delete screen or when machine authentication has taken place.  Many users do not get group policy correctly or login with cached credentials onsite when machine authentication does not execute or is not configured properly.   Please make sure that the computer has full access to the network, when it is at the ctrl-alt-delete screen to ensure that domain access is fully available.  That is the primary solution to ensure that users do not login with expired cached credentials.  If you are giving it a special role that blocks any traffic during machine authentication, you risk having users login  with cached credentials, which would create the issue that you are seeing.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Guru Elite

Re: AD password change after expiration over wi-fi

If in Clearpass you checked to see if the memberOf attribute contains "Domain Computers" then permit full access, that would detect when a computer is at the ctrl-alt-delete screen and give it full access.  Unfortunately, using the built-in [Machine Authenticated] role in ClearPass only will detect if a device EVER passed machine authentication.  It does not specify if the CURRENT incoming authentication is for machine authentication.  Checking to see if the memberOf attribute contains "Domain Computers" checks to see if the current incoming authentication is that of a domain computer.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor II

Re: AD password change after expiration over wi-fi

When we are using cached credentials which are expired, user will pass machine but not the user.

 

To change the passowrd now we are connecting to LAN and changing it manually.Is there any way to do in Wireless as LAN ton change the password instead of using LAN or asking admin to reset the password????

Guru Elite

Re: AD password change after expiration over wi-fi

Laptops only pass machine authentication (1) when the machine boots up (2) when the user logs off of his/her user session.

 

If machine authentication is actually working in your environment, it should not let your user get into the machine with expired credentials, because it should have an ip address at the ctrl-alt-delete screen, so it should reach the domain and ask for real, working credentials.  I would check to see if your machine authentication is really working.

 

Does your machine get an ip address at the ctrl-alt-delete screen before a user logs in?  Can you do things like stop and start services and open a share to the machine while the machine is at the ctrl-alt-delete screen?  If not, machine authentication is not working and needs to be fixed.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Contributor II

Re: AD password change after expiration over wi-fi


@cjoseph wrote:

Laptops only pass machine authentication (1) when the machine boots up (2) when the user logs off of his/her user session.

 

If machine authentication is actually working in your environment, it should not let your user get into the machine with expired credentials, because it should have an ip address at the ctrl-alt-delete screen, so it should reach the domain and ask for real, working credentials.  I would check to see if your machine authentication is really working.

 

Does your machine get an ip address at the ctrl-alt-delete screen before a user logs in?  Can you do things like stop and start services and open a share to the machine while the machine is at the ctrl-alt-delete screen?  If not, machine authentication is not working and needs to be fixed.

 


 

No it doesnt get any ip address as no role has been assigned for only machine authentication. If clearpass check only machine it sends reject.  Now i am planning assign a full access role and vlan to it. So that it gets an ip address and can check the credentials.

 

Thanks 

Srikanth

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: