date:20111108

Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password changes

2011-11-08 Thread Jeffrey Sessler

I should have added:

Assuming that you have an account lockout policy defined, all you
should need to do is to get this working is to enable/define a password
history policy. Once defined, the password history check (n-2) should
then work.

Jeff

>>> On Tuesday, November 08, 2011 at 11:29 AM, in message
<4eb9129c02ce1...@scrncs1.scrippscollege.edu>, Jeffrey Sessler
 wrote:

I wanted to add that if you're using AD as your authentication source,
look at implementing "Password history check (N-2)"
With Password history check (N-2), as long as the password being used
is one of the last two in the history file, the bad password count is
not incremented... thus, no account lockout when using an old, but valid
password. That is, while the user can't authenticate using the old
password (it still fails as an incorrect password), account lookout
doesn't occur. It works around the problem where a user changes their
password on say their desktop, and then their mobile device instantly
locks their account as it attempts to auth on WPA.

Jeff

>>> On Tuesday, November 08, 2011 at 6:55 AM, in message
,
"Fleming, Tony"  wrote:

Thank you for all of the responses.
It appears several of you are not allowing the accounts to be
locked-out and that would help our situation too.
We also use radius which proxies AD for authentication. For those of
you that are not allowing account lockout – is that done on a global
level in your AD, or are you able to selectively prevent some
authentication sources from locking-out the account (i.e. – don’t allow
radius requests to lock out the account, however, allow workstation
failures to lock out the account)? 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jack Vizelter
Sent: Tuesday, November 08, 2011 7:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and
password changes

As per our networking group, we’re using a windows radius server which
is our proxy for AD authentication to our secure wireless network.

-jack

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Hayward
Sent: Monday, November 07, 2011 9:05 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: **PHISHING?** Re: WPA2-Enterprise - account lockouts and
password changes

what radius server do you use?
We had a similar issue with freeradius serever using Novell NDSldap
authetication.
The current freeradius server has this issue fixed.
johnh...

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jack Vizelter
[j...@mail.rockefeller.edu]
Sent: Monday, November 07, 2011 5:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and
password changes

We use WPA2 Enterprise on our wireless network and we've seen OSX
connectivity issues to our wireless network that authenticates against
our LDAP/AD when using WPA2 Ent.  

When a user authenticates the first time and saves the password in the
wifi profile and keychain and then changes their LDAP/AD password, the
wireless profile does not always prompt to enter a new password.  This
causes the wireless not to connect.  And when it does, the airport has
multiple wifi profiles for the same SSID causing issues.

What we've found that works (at least thus far) is to both delete
duplicate wireless profiles and delete the keychain password.  Then
update manually the password only for the remaining wireless profile
with the new password.

Unfortunately, we require password changes annually.

We do enforce LDAP & AD password lockouts after several failed
attempts, but they auto-unlock themselves after a fixed period.

-jack

On Nov 7, 2011, at 5:19 PM, Fleming, Tony wrote:

Crew,

We have had several complaints from our students about wireless
trouble. We believe we have a couple issues going on:

Account lockouts – Our students are allowed to register
four devices on WiFi and the majority of our students using all of their
registrations ( laptops/ipads/smartphones…) What we see are a lot of
password failures resulting in account lockouts. If one of their four
devices has a bad username and password combination stored in the WiFi
profile, it just compounds the problem and creates a lot of confusion
for our students. Sadly, these devices do not return a failure cause to
the user and is interpreted as a bad signal or bad network.

OSX and WPA2 – It is our observation that OSX has a
continual history of WPA2 bugs.

My questions to the group:

How do you guys handle Account lockouts?

Do your students interpret these issues as WiFi trouble?

If so, how are you changing that perception?

Have any of you abandoned 802.1x (PEAP) because of this issue?

Do you see the same trouble with OSX an

HP Wireless questions

2011-11-08 Thread Nick Kartsioukas

We're looking at HP wireless (currently Cisco), and had a few questions.
 If you've got experience and are willing to answer, I'd definitely
appreciate it.  Feel free to reply on-list or off...
Did you migrate from Cisco to HP, start out with HP, or migrate from
some other wireless provider?  Or did you move from HP to someone else? 
If you migrated, why?
How large is your deployment?
Were there any issues setting up a captive portal with HP?
Any issues with RADIUS interoperability?
How is your performance, coverage, and client density?  Do you take
advantage of client load balancing and band steering, and do those
features work well?
Thanks!
--
Nick Kartsioukas
Cuesta College Computer Services
805-546-3248

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password changes

2011-11-08 Thread Jeffrey Sessler

I wanted to add that if you're using AD as your authentication source,
look at implementing "Password history check (N-2)"
With Password history check (N-2), as long as the password being used
is one of the last two in the history file, the bad password count is
not incremented... thus, no account lockout when using an old, but valid
password. That is, while the user can't authenticate using the old
password (it still fails as an incorrect password), account lookout
doesn't occur. It works around the problem where a user changes their
password on say their desktop, and then their mobile device instantly
locks their account as it attempts to auth on WPA.
 
Jeff

>>> On Tuesday, November 08, 2011 at 6:55 AM, in message
,
"Fleming, Tony"  wrote:


Thank you for all of the responses.
It appears several of you are not allowing the accounts to be
locked-out and that would help our situation too.
We also use radius which proxies AD for authentication. For those of
you that are not allowing account lockout – is that done on a global
level in your AD, or are you able to selectively prevent some
authentication sources from locking-out the account (i.e. – don’t allow
radius requests to lock out the account, however, allow workstation
failures to lock out the account)? 
 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jack Vizelter
Sent: Tuesday, November 08, 2011 7:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and
password changes

 
As per our networking group, we’re using a windows radius server which
is our proxy for AD authentication to our secure wireless network.
 
-jack
 

From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Hayward
Sent: Monday, November 07, 2011 9:05 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: **PHISHING?** Re: WPA2-Enterprise - account lockouts and
password changes

 

what radius server do you use?
We had a similar issue with freeradius serever using Novell NDSldap
authetication.
The current freeradius server has this issue fixed.
johnh...


From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jack Vizelter
[j...@mail.rockefeller.edu]
Sent: Monday, November 07, 2011 5:42 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and
password changes

We use WPA2 Enterprise on our wireless network and we've seen OSX
connectivity issues to our wireless network that authenticates against
our LDAP/AD when using WPA2 Ent.  

 

When a user authenticates the first time and saves the password in the
wifi profile and keychain and then changes their LDAP/AD password, the
wireless profile does not always prompt to enter a new password.  This
causes the wireless not to connect.  And when it does, the airport has
multiple wifi profiles for the same SSID causing issues.

 

What we've found that works (at least thus far) is to both delete
duplicate wireless profiles and delete the keychain password.  Then
update manually the password only for the remaining wireless profile
with the new password.

 

Unfortunately, we require password changes annually.

 

We do enforce LDAP & AD password lockouts after several failed
attempts, but they auto-unlock themselves after a fixed period.

 

-jack

 

 

On Nov 7, 2011, at 5:19 PM, Fleming, Tony wrote:

 

Crew,

We have had several complaints from our students about wireless
trouble. We believe we have a couple issues going on:

Account lockouts – Our students are allowed to register
four devices on WiFi and the majority of our students using all of their
registrations ( laptops/ipads/smartphones…) What we see are a lot of
password failures resulting in account lockouts. If one of their four
devices has a bad username and password combination stored in the WiFi
profile, it just compounds the problem and creates a lot of confusion
for our students. Sadly, these devices do not return a failure cause to
the user and is interpreted as a bad signal or bad network.

OSX and WPA2 – It is our observation that OSX has a
continual history of WPA2 bugs.

 

My questions to the group:

How do you guys handle Account lockouts?

Do your students interpret these issues as WiFi trouble?

If so, how are you changing that perception?

Have any of you abandoned 802.1x (PEAP) because of this issue?

Do you see the same trouble with OSX and WPA2?

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

 

 

** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/. 

** Participation and subscription information for th

RE: WPA2-Enterprise - account lockouts and password changes

2011-11-08 Thread Fleming, Tony

Thank you for all of the responses.
It appears several of you are not allowing the accounts to be locked-out and 
that would help our situation too.
We also use radius which proxies AD for authentication. For those of you that 
are not allowing account lockout - is that done on a global level in your AD, 
or are you able to selectively prevent some authentication sources from 
locking-out the account (i.e. - don't allow radius requests to lock out the 
account, however, allow workstation failures to lock out the account)?

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jack Vizelter
Sent: Tuesday, November 08, 2011 7:15 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password 
changes

As per our networking group, we're using a windows radius server which is our 
proxy for AD authentication to our secure wireless network.

-jack

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Hayward
Sent: Monday, November 07, 2011 9:05 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: **PHISHING?** Re: WPA2-Enterprise - account lockouts and password 
changes

what radius server do you use?
We had a similar issue with freeradius serever using Novell NDSldap 
authetication.
The current freeradius server has this issue fixed.
johnh...

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jack Vizelter 
[j...@mail.rockefeller.edu]
Sent: Monday, November 07, 2011 5:42 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password 
changes
We use WPA2 Enterprise on our wireless network and we've seen OSX connectivity 
issues to our wireless network that authenticates against our LDAP/AD when 
using WPA2 Ent.

When a user authenticates the first time and saves the password in the wifi 
profile and keychain and then changes their LDAP/AD password, the wireless 
profile does not always prompt to enter a new password.  This causes the 
wireless not to connect.  And when it does, the airport has multiple wifi 
profiles for the same SSID causing issues.

What we've found that works (at least thus far) is to both delete duplicate 
wireless profiles and delete the keychain password.  Then update manually the 
password only for the remaining wireless profile with the new password.

Unfortunately, we require password changes annually.

We do enforce LDAP & AD password lockouts after several failed attempts, but 
they auto-unlock themselves after a fixed period.

-jack


On Nov 7, 2011, at 5:19 PM, Fleming, Tony wrote:

Crew,
We have had several complaints from our students about wireless trouble. We 
believe we have a couple issues going on:
Account lockouts - Our students are allowed to register four 
devices on WiFi and the majority of our students using all of their 
registrations ( laptops/ipads/smartphones...) What we see are a lot of password 
failures resulting in account lockouts. If one of their four devices has a bad 
username and password combination stored in the WiFi profile, it just compounds 
the problem and creates a lot of confusion for our students. Sadly, these 
devices do not return a failure cause to the user and is interpreted as a bad 
signal or bad network.
OSX and WPA2 - It is our observation that OSX has a continual 
history of WPA2 bugs.

My questions to the group:
How do you guys handle Account lockouts?
Do your students interpret these issues as WiFi trouble?
If so, how are you changing that perception?
Have any of you abandoned 802.1x (PEAP) because of this issue?
Do you see the same trouble with OSX and WPA2?
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.


** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: WPA2-Enterprise - account lockouts and password changes

2011-11-08 Thread Jack Vizelter

As per our networking group, we're using a windows radius server which is our 
proxy for AD authentication to our secure wireless network.

-jack

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of John Hayward
Sent: Monday, November 07, 2011 9:05 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: **PHISHING?** Re: WPA2-Enterprise - account lockouts and password 
changes

what radius server do you use?
We had a similar issue with freeradius serever using Novell NDSldap 
authetication.
The current freeradius server has this issue fixed.
johnh...

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Jack Vizelter 
[j...@mail.rockefeller.edu]
Sent: Monday, November 07, 2011 5:42 PM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password 
changes
We use WPA2 Enterprise on our wireless network and we've seen OSX connectivity 
issues to our wireless network that authenticates against our LDAP/AD when 
using WPA2 Ent.

When a user authenticates the first time and saves the password in the wifi 
profile and keychain and then changes their LDAP/AD password, the wireless 
profile does not always prompt to enter a new password.  This causes the 
wireless not to connect.  And when it does, the airport has multiple wifi 
profiles for the same SSID causing issues.

What we've found that works (at least thus far) is to both delete duplicate 
wireless profiles and delete the keychain password.  Then update manually the 
password only for the remaining wireless profile with the new password.

Unfortunately, we require password changes annually.

We do enforce LDAP & AD password lockouts after several failed attempts, but 
they auto-unlock themselves after a fixed period.

-jack

On Nov 7, 2011, at 5:19 PM, Fleming, Tony wrote:

Crew,
We have had several complaints from our students about wireless trouble. We 
believe we have a couple issues going on:
Account lockouts - Our students are allowed to register four 
devices on WiFi and the majority of our students using all of their 
registrations ( laptops/ipads/smartphones...) What we see are a lot of password 
failures resulting in account lockouts. If one of their four devices has a bad 
username and password combination stored in the WiFi profile, it just compounds 
the problem and creates a lot of confusion for our students. Sadly, these 
devices do not return a failure cause to the user and is interpreted as a bad 
signal or bad network.
OSX and WPA2 - It is our observation that OSX has a continual 
history of WPA2 bugs.

My questions to the group:
How do you guys handle Account lockouts?
Do your students interpret these issues as WiFi trouble?
If so, how are you changing that perception?
Have any of you abandoned 802.1x (PEAP) because of this issue?
Do you see the same trouble with OSX and WPA2?
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password changes

HP Wireless questions

Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password changes

RE: WPA2-Enterprise - account lockouts and password changes

RE: WPA2-Enterprise - account lockouts and password changes

5 matches

Site Navigation

Mail list logo

Footer information