On 10/10/2012 12:31 AM, Jason Agress wrote:
Hi all,
We're currently using Microsoft IAS for RADIUS on our Cisco managed
wireless network. We do wireless logon on our clients, which requires
the user to first authenticate to RADIUS to initiate the wireless
connection, then authenticate against Active Directory to complete the
login process.
The problem we run into is when a user's password expires and RADIUS
authentication is unsuccessful; since the wireless connection cannot be
made, AD cannot be contacted to authenticate the user and, ideally,
prompt to change the password.
I've read lots about this problem with FreeRADIUS and have seen some
implied solutions, but nothing concrete. So here's my question: With
FreeRADIUS, is there a way to allow successful RADIUS authentication
with an expired password?
You can't do that, no. Successful auth against AD requires AD to
cooperate, and it won't do that if the password has expired - but see
right at the very end.
As Alan says, you can instead do MSCHAP password changes with the
"master" branch of FreeRADIUS and a client that supports it. But TBH I'm
surprised this isn't working with IAS.
What software are you running on the clients? Any non-standard supplicants?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
