Re: [WIRELESS-LAN] Account Lockouts after PW Change
IMO, the best solution is to stop using EAP-PEAP and start using EAP-TLS instead. With per-device certificates, you never have to worry again about account lockouts caused by wireless devices, and you can control access per-device rather than per-user. On Fri, Apr 17, 2015 at 08:28:26AM -0400, Jesse Thomas wrote: Hi Everyone We recently rolled out a new password policy which includes an account lockout after a number of failed authentications. We are experiencing a fair amount of lockouts after users change their password, but fail to update their wireless devices with the new credentials. The devices have the old password cached and keep trying to connect to wireless, ultimately resulting in a locked account. We use Cisco ACS 5.5 for RADIUS against MS AD 2008R2 (PEAP w/ MS-CHAPv2). Server 2003 SP1+ has a feature called Password history check (N-2) that isn't supposed to increment the badPwdCount if the password is the same as one of the last two entries that are in the password history. (https://technet.microsoft.com/en-us/library/cc780271%28v=ws.10%29.aspx?f=255MSPPError=-2147217396) This works as-expected with authentications from Windows and Mac domain-joined desktops (logins, connecting to shared drives, etc.), but does NOT work with authentications coming from RADIUS. Unfortunately there is precious little info available from MS regarding the feature (requirements and/or configuration) and cases opened with both MS and Cisco have not provided any additional information. I'm wondering if anyone here has gotten this to work with RADIUS, Cisco ACS or otherwise, so we know if we should continue to pursue this or not? Thanks in advance, -- Jesse Thomas Network Systems Administrator Hamilton College 315-859-4211 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Account Lockouts after PW Change
Hi Everyone We recently rolled out a new password policy which includes an account lockout after a number of failed authentications. We are experiencing a fair amount of lockouts after users change their password, but fail to update their wireless devices with the new credentials. The devices have the old password cached and keep trying to connect to wireless, ultimately resulting in a locked account. We use Cisco ACS 5.5 for RADIUS against MS AD 2008R2 (PEAP w/ MS-CHAPv2). Server 2003 SP1+ has a feature called Password history check (N-2) that isn't supposed to increment the badPwdCount if the password is the same as one of the last two entries that are in the password history. (https://technet.microsoft.com/en-us/library/cc780271%28v=ws.10%29.aspx?f=255MSPPError=-2147217396) This works as-expected with authentications from Windows and Mac domain-joined desktops (logins, connecting to shared drives, etc.), but does NOT work with authentications coming from RADIUS. Unfortunately there is precious little info available from MS regarding the feature (requirements and/or configuration) and cases opened with both MS and Cisco have not provided any additional information. I'm wondering if anyone here has gotten this to work with RADIUS, Cisco ACS or otherwise, so we know if we should continue to pursue this or not? Thanks in advance, -- Jesse Thomas Network Systems Administrator Hamilton College 315-859-4211 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Account Lockouts after PW Change
On 04/17/2015 08:28 AM, Jesse Thomas wrote: Hi Everyone We recently rolled out a new password policy which includes an account lockout after a number of failed authentications. We are experiencing a fair amount of lockouts after users change their password, but fail to update their wireless devices with the new credentials. The devices have the old password cached and keep trying to connect to wireless, ultimately resulting in a locked account. We use Cisco ACS 5.5 for RADIUS against MS AD 2008R2 (PEAP w/ MS-CHAPv2). Server 2003 SP1+ has a feature called Password history check (N-2) that isn't supposed to increment the badPwdCount if the password is the same as one of the last two entries that are in the password history. (https://technet.microsoft.com/en-us/library/cc780271%28v=ws.10%29.aspx?f=255MSPPError=-2147217396) This works as-expected with authentications from Windows and Mac domain-joined desktops (logins, connecting to shared drives, etc.), but does NOT work with authentications coming from RADIUS. Unfortunately there is precious little info available from MS regarding the feature (requirements and/or configuration) and cases opened with both MS and Cisco have not provided any additional information. I'm wondering if anyone here has gotten this to work with RADIUS, Cisco ACS or otherwise, so we know if we should continue to pursue this or not? Thanks in advance, -- Jesse Thomas Network Systems Administrator Hamilton College 315-859-4211 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. With my Aruba setup, I got around this by blacklisting clients for 1 minute longer then the AD lockout timer and at one less authentication attempt then the AD account lock out. This handled the mobile devices with the old password problem. Mostly iOS and older Android kept banging away with the old account or with blank passwords. Blackberries gave up and disabled the profiles after failure to connect. EAP-TLS is also a good idea obviously. -- -James ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. signature.asc Description: OpenPGP digital signature
TAC Recommended AireOS 7.6 and 8.0 - 2Q CY15
https://supportforums.cisco.com/document/12481821/tac-recommended-aireos-76-and-80-2q-cy15 Sent from my iPhone ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.