It is deprecated to use company credentials for username/password authentication on PEAP or TTLS authentication as through man-in-the-middle attacks the credentials are easy to obtain if the client is not 100% controlled. EAP-TLS is recommended, and also solves your password lockout problem.
Then, yes it is expected that most clients will just retry authentication in PEAP and potentially lock out an account. One option in Instant is to use the Blacklist feature:
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------
Original Message:
Sent: Dec 30, 2020 10:06 AM
From: Inzamam Shahid
Subject: User changed password, authentication fails but Win10 doesn't prompt
I am currently experiencing this same issue with android devices only. This is what I have:
- Aruba IAP with CPPM
- Advertising a corp SSID
- Users connect with their personal devices and are dropped into the non corp network.
When users change their AD password, it does not prompt them to change it on the Android device. This results in their AD account being locked out as they have too many unsuccessful authentications. Is there any way Andoird devices can be prompted to tell users to update their password. IOS users are prompted to change their passwords. Also, this seems to be a recent change in Android, but I am not sure when or why this was introduced.
Is it possible to configure something on the IAP or CPPM that prompts android users to update their password?
Is this Android normal behaviour?
IS there something we can configure on the android device for this behaviour?
thanks in advance.
------------------------------
Inzamam Shahid
Original Message:
Sent: Mar 05, 2019 08:08 AM
From: Johan Le Maire
Subject: User changed password, authentication fails but Win10 doesn't prompt
Our solution was to change the Group Policy setting to "Cache user information for subsequent connections to this network => Disabled ".
Users will need to re-enter their credentials every time they connect to the network, but as this is not their primary network, we take that disadvantage over the blocking of caching the wrong cedentials.