Wireless Access

Occasional Contributor II

802.1x AD account lockout prevention with mobile devices



I might have asked this in the past but wanted to see if theres any new suggestions. Were using 802.1x for secure wireless and most of our mobile devices are iPads and iPhones. The problem we have is when a user changes AD password (every 90 days) and forgets to change the password on there iPad / Phone there AD account locks out after 3 attempts.


We have been using Aruba blacklisting after two failed attempts which works but means our helpdesk are now un blacklisting rather unlocking AD accounts which is not ideal. We also can't raise the amount of failed auth attempts before lockout as this is part of a bigger security issue.


It seems silly to me that IOS will keep polling with the wrong credenetials and doesnt just give up after failed auth. If other have come accross this and have any advice it would be much appreciated.




p.s. clearpass isnt an option for us due to cost.

Valued Contributor I

Re: 802.1x AD account lockout prevention with mobile devices

That's Apple for you! I for one am looking forward to the day they come out of that ivory tower and play nice. Anyway...


If you're sure Clearpass isn't an option... :smileysad:


The most obvious answer is try a different supplicant. In the past I've been a fan of Juniper (Funk) Odyssey. It's good, but you'd have to test to make sure it worked against this (and it costs money). Also I hear good things about "wpa supplicant" which I believe is free?


Either of these might solve it, but you'd then have to work out how to distribute it to users...


Also, I have heard of Uni's writing scripts for Macs to clear out old creds. I don't have specifics on it though!


My love/hate view of Apple continues!


Kudos appreciated, but I'm not hunting! (ACMX 104)

Re: 802.1x AD account lockout prevention with mobile devices

Can you bump up the 3 failed attempts number?  For me, the mail app on the iPhone will prompt me for credentials when I cahnge my AD pasword.  Not sure if iOS is still trying to use cached credentials or not.  Might be an OWA setting?  I am not a MS expert...just sharing my experience.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
If you found my post helpful, please give kudos
Occasional Contributor II

Re: 802.1x AD account lockout prevention with mobile devices

Thanks for the responses, the issue isnt with the mail app that will prompt for credentials but with the 802.1x for wifi that will just continue to try and authenitcate untll it either gets blacklisted by Aruba or locks out the AD account.


The 3 tries setting is part of our gloabl domain settings and wil affect wired and wireless, something we can not alter, besides puting it up to 10 it would still lock it out the account if the user doesnt change it as the 802.1x seems to just keep trying.

Guru Elite

Re: 802.1x AD account lockout prevention with mobile devices

Clear pass would not help you very much in this situation. It is the same thing like changing your password on your desktop and you have a laptop somewhere in the building trying with the same credentials. It is not any easier to find that second computer that the person is logged into that is causing the problem. You have the choice of not making the blacklist permanent since you cannot change the number of permitted failed logins. There is nothing else you can really do. This happens on Windows, Mac and every mobile platform that seeks to keep you connected all the time.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Trusted Contributor I

Re: 802.1x AD account lockout prevention with mobile devices

Do you have an internal PKI environment?  If so, you could create certificates for your mobile devices.  If you don't have ClearPass for Onboarding, it can be a bit cumbersome because you have to manually load the certificates over your guest networking and emailing the certificate to yourself or the mobile device owner.  We did this for a while, it just doesn't scale well.

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: