Clear Pass Active Directory Password Renewal
a month ago
Currently my Aruba wireless is authenticating employees with Clear Pass as the Radius server and Clear Pass uses the Active Directory as the authentication source.
When the AD user password expires those using Windows laptops registered in the AD can easily reset them when they log in to Windows.
However I have some users whose laptops are running Linux and Mac OS. When their password expires we have to log into the AD server to reset their password.
This is the Alert I receive in the Access Tracker for expired passwords:
MSCHAP: AD status:Password expired (0xc0000071)
MSCHAP: Authentication failed
EAP-MSCHAPv2: User authentication failure
For these users is their a way for them to renew their passwords through Clear Pass? In other words when they try to connect to the wireless network. I have read many posts here about expired AD password, but none of them have dealt with this situation or has been clear in its possibility.
Thanks in advance!
Re: Clear Pass Active Directory Password Renewal
3 weeks ago - last edited 3 weeks ago
Please check this post for some references to similar questions: https://community.arubanetworks.com/t5/Security/Clearpass-with-non-domain-users-and-password-expiry/td-p/526624
The core of the issue is that you cannot change your password if you can't access the network. Users should change their password before it expires.
The better solution is the get rid of passwords and change to EAP-TLS with certificates. The use of EAP-PEAP is deprecated even by Microsoft because the underlying MSCHAPv2 authentication mechanism is known as insecure. MDM/EMM solutions can help to provision managed devices. ClearPass Onboard works nicely to provision unmanaged devices like BYOD, contractors, etc.
If you need to stick to passwords, this recent post may help you to redirect users that are close to password expiration to a captive portal page. Have not tested that myself, but it may be worth trying.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).