It doesn't answerthe question, but I verified today that ACS 3.3 does not experience this condition (have a small pilot going). Also, heard last week that IAS does have the same condition, though can't yet vouch for that notion.
Best, Lee Badman Network Engineer CWNA, CWSP Information Technology and Services (Formerly Computing and Media Services) Syracuse University (315) 443-3003 [EMAIL PROTECTED] >>> [EMAIL PROTECTED] 4/10/2006 5:38 PM >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 07:37 -0500 10/11/2005, Chris Hart wrote: >Has anyone confirmed that Funk update has resolved the issue with the >password change? Reviving this old thread. To review, the problem is as explained by Michael King concerning cached credentials with the XP 802.1X PEAP supplicant: At 09:07 -0400 06/24/2005, King, Michael wrote: >FreeRadius - >When a password is bad (fail MS-CHAPv2), the FreeRadius server will send >an EAP-Failure inside the EAP-PEAP tunnel, then send a second payload of >an EAP-Failure > >Steel-Belted Radius - >When a password is bad (fail MS-CHAPv2), the SBR server will ONLY send >an EAP-Failure, it will not send the EAP-Failure inside the EAP-PEAP >tunnel, basically, it skips a step. > >Apparently, the EAP-Failure inside the EAP-PEAP tunnel is what triggers >the XP client that the password is wrong and it should reprompt. Michael filed bug 5429 w/ Funk and reported that a test build would be available back in the August timeframe to fix this problem. We actually obtained the test build, but we never got around to trying it because we were told that the test build would require a complete rebuild of our config, which we didn't have the time to do. The final 5.3 release was supposed to incorporate this fix. We just upgraded this Sunday to SBR 5.30.2009, and I've got basic PEAP going with MS-CHAPv2. At least the Mac client works fine, as always, but the Windows XP supplicant still doesn't work when the AD password on the back end is changed. Windows prompts for a new password, but it doesn't work to let the user on the network, just prompts again. As always, deleting the EAPOL registry settings fixes things, at least until the AD password is changed again. According to Funk (now Juniper), the way to turn on the feature is to edit winauth.aut to change the following line: ;RetryFailedAuthentications = no to RetryFailedAuthentications = yes Again, though, this did not work for us. Has anyone got this working? Thanks!! -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.5 (Build 5050) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBRDrQUg5UB5zJHgFjEQLNIwCfZNiBaTsZLHy99TR5dq66FrUSFlsAn3S+ Q0+lnQHtg1r80mcTHBX7IKQM =Ci0v -----END PGP SIGNATURE----- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer <phone:847-467-5780> Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
