Security

Anyone come across this? We have users at remote sites logging into IAP225. The new users that have not logged into the domain before have a temp password. In AD we have it set to prompt for change of password as soon as they login with the temp.

This part happens to the user and while they take 2 minutes to figure out what password they want to use, they enter it, and then they get a no logon servers available. 

 

In clearpass it shows this under alerts for their login attempt. This is the first time i have seen this as well:

 

MSCHAP: AD status: Password-Change: No Password-Change-Error: Password restriction .

MSCHAP: AD status: Password-Change: No Password-Change-Error: Password restriction .

MSCHAP: AD status: Password-Change: No Password-Change-Error: Password restriction .MSCHAPL Password change failed

EAP-MSCHAPv2: User authentication failure

 

 

 

Is there some timeout window with clearpass and if so where would this setting be located?

 

in my CPPM 6.2, the default domain server time out is 10 seconds:

You'll see the same behavior if the user doesn't accept the certificate immediately. I don't think there is a solution for that. The EAP process is time sensitive.

Are you doing machine authentication while the device is at the login screen? This is the best way to handle new users logging in.