In our environment, if a user does not change their domain password and lets it expire, they'll get disconnected from wireless and are unable to update their password over wifi. They have to connect to a wired port to update their password, then are able to connect back to wifi. I'd like to resolve this if possible.
We require machine auth + user auth (EAP-PEAP) to connect to our network. Once the user loses connectivity because the password has expired, they'll log off and attempt to log back in which should prompt them to change their password. Since these are all Win7 machines, they'll machine auth at the logon screen which will give them limited connectivity to the network. The machine auth policy includes IP access to all Win DC's, and the usual DHCP, DNS, etc. I would think this is enough to be able to change their password, but for some reason it is not. We're using ClearPass for wireless authentication, and I'm wondering if CP is part of the problem or if I need to re-evaluate my machine auth policy.
Any help is appreciated. Thanks.