Wireless Access

How are you addressing the issue where a user changes their password in AD using their wired PC and then try to connect from a laptop with their old cached credentials?  More specifically - a user logs into their wired computer and are prompted to change their AD password.  They complete that process and are now logged into their wired computer and connected to AD.

 

Then they bootup their laptop and log into it with their old cached credential password and attempt to connect to the network via wireless (it's set to auto connect upon login and is set to use the user credentials from logging into the laptop).  They fail user authentication to the wireless network and are not able to get to any resources at that point. Need some way for them to be able to put in their new credentials.

 

One obvious way around that is to connect the laptop up wired and lock the laptop then provide the new credentials to unlock the laptop. Then they are able to connect to wireless using the new cached credentials.

Are you using machine authentication?

Yes we are doing both machine and user auth.

 

Ian

When the device is machine authed at the login screen, it should prompt the
user for change their password or if they enter in fresh credentials, it
should check AD.

in some environments, if the credentials are rejected due to invalid password, the devices are typically prompted to re-enter their credentials....

 

For my documentation, I typically have users remove their profile and re-do the entire thing, on iPhones/Androids primarily because I have seen the different OSs use the new credentials once, but not cache those, so next auth is rejected again... 

 

If the users ignore the message, well then then sometimes experience issues, as some devices don't re-prompt....

---

@istong wrote:

How are you addressing the issue where a user changes their password in AD using their wired PC and then try to connect from a laptop with their old cached credentials?  More specifically - a user logs into their wired computer and are prompted to change their AD password.  They complete that process and are now logged into their wired computer and connected to AD.

 

Then they bootup their laptop and log into it with their old cached credential password and attempt to connect to the network via wireless (it's set to auto connect upon login and is set to use the user credentials from logging into the laptop).  They fail user authentication to the wireless network and are not able to get to any resources at that point. Need some way for them to be able to put in their new credentials.

 

One obvious way around that is to connect the laptop up wired and lock the laptop then provide the new credentials to unlock the laptop. Then they are able to connect to wireless using the new cached credentials.

---

istong,

 

The best thing would be for them to log off, then attempt to log back in.  If they log off, machine authentication would take place, then they can do a "real" login to their laptop after.  Logging off then logging back in is faster than a reboot.  I hope you are not changing VLANs when the user and computer authenticate, otherwise it will break this process.

 

Logging out and back in doesn't work.  Likely because we only set the authenticated role after you pass both machine and user auth.  Hence wondering what others do when faced with this issue.

 

We have a machine auth role that only allows access to domain controllers, dhcp, dns, and WSUS. This allows users to enter their new password or change it.

Passong machine only authentication needs to have the authenticated role. Backend processes and a lot of long scripts cannot proceed unless you do this.

 

 

 

I have a customer having the same thing, user changes the password and his account is getting locked because the IPhone is using the old password :D

 

 

Also, any recommendation on using machine + user auth ? with windows XP it works perfectly and after the user logs in it changed to user auth, with windows 8 it stays authenticated as machine and doesn't change or try with the user after loging in :( any ideas ?

I've seen this when the user and computer auth isn't explicitly set and user auth times out, it will change itself to computer only. Are you setting this through group policy to use User and Computer?

Yup group policy and set to machine or user

Hi Islam,

 

Our XP workstations work great but we push out the settings via GPO and set it so the settings can't be changed on the workstation. Never had an issue using that method.  As for iphones, the user has to click on the > symbol and then click forget network to have it stop trying to use the old password. 

 

Because of that, we are looking at moving to cert based for iphone/ipad type devices. We are testing clearpass and onboarding and so far so good.  We don't allow non corporate devices on our network so we have custom attributes set that prevent users from onboarding a personal device.

XP machines works perfectly i have tested, the issue is with Windows 8 machines.

 

Onboarding with TLS is good idea but customer wants it easy no onboarding for VIP users :(