Charlie B wrote:
Has no one else experienced this issue where reset password confuses WinXP? I really don't want to use IAS. Anyone ideas?
Let me get this straight: You have machines in the domain, users doing domain logins, and wired 802.1x using the domain credentials. When you change a users password, the username/password cached on the client is no longer valid, and they fall off the network.
It's hard to see what else could happen; you've changed their password and given the machine they're logged onto no way of knowing that. Why don't you just let them change their password?
Very likely many resources would continue to be accessible because the credential cache includes a valid kerberos TGT but that isn't used for 802.1x/MS-CHAP - it's the plain username/password.
Whatever happens, the client machine would have to prompt the user for their new username/password.
Does this work with IAS? If so, it may be that there's an error code which can be put in an MS-CHAP-Error attribute. However, very likely Samba would have to generate the error code.
In short, I don't think it's going to work any time soon. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
