How does 802.1x handle an account when a user's password expires?

  • 1
  • Question
  • Updated 3 years ago
I am looking for advice on how admins handle their clients' Active Directory (AD) password expires. We are currently on a 180 day password rotation, but I am worried that they will not be able to access the network if their account password expires. 

We are primarily a Mac environment and we are a school that will be requiring students to bring their own device (BYOD).

Any advice would be appreciated.
Photo of Bob Ogden

Bob Ogden

  • 11 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
Macs will prompt for a password. How they access AD to update their password becomes the issue. Here's a link to a discussion regarding this issue.

Best,
BJ

https://discussions.apple.com/thread/5797604
 
Photo of Bruce Richardson

Bruce Richardson

  • 12 Posts
  • 1 Reply Like
It also depends on how the Radius server is set up. I'm running freeradius on Linux and there is an option that switches on/off error reporting for eap clients. 

in the config file there is this text ..
# Prior to version 2.1.11, the module never
# sent the MS-CHAP-Error message to the
# client. This worked, but it had issues
# when the cached password was wrong. The
# server *should* send "E=691 R=0" to the
# client, which tells it to prompt the user
# for a new password.
#
# The default is to behave as in 2.1.10 and
# earlier, which is known to work. If you
# set "send_error = yes", then the error
# message will be sent back to the client.
# This *may* help some clients work better,
# but *may* also cause other clients to stop
# working.


HTH

Bruce






Photo of Bob Ogden

Bob Ogden

  • 11 Posts
  • 0 Reply Likes
Thanks for the advice. In regards to the Mac and AD, those are for bound computers. I am more worried about student devices that are not bound to the directory. Sounds like their credentials will expire and then not be allowed onto the network because their credentials will not be valid.
Photo of Hoffman Gonzalez

Hoffman Gonzalez

  • 1 Post
  • 0 Reply Likes
Re-opening this question as our environment is also on password rotation(45 days). environment is windows 2008R2 radius/nps

iOS/Android devices specifically are not prompting for new password; they simply drop off/cant associate. any help on this?
Photo of Adrian Jezierski

Adrian Jezierski

  • 2 Posts
  • 0 Reply Likes
I too, am running into the same issue with mobile devices locking out the users account whenever they change there passwords or it expires. Is there a way to only have the user authenticate once, and they're good till they are removed from the wireless access AD group? Or certificate authentication?

Thanks for any help on this.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Adrian,

Have you instead considered enforcing password complexity on users and not using an account lockout after n attempts policy?

Passwords of sufficient complexity are fully resistant to brute force attacks and tools exist to autonomously monitor/audit and flag failed attempts to authenticate.

It is a high impact DoS security vulnerability to enable that type of account lockout where the accounts can be used to attempt to authenticate to a wireless network.

Anybody can maliciously attempt to authenticate with invalid credentials, surgically locking out accounts.

Imagine, for example, if all the high privileged users, such as domain administrators, were subject to this policy and their accounts were locked out.

It is nearly always a mistake therefore to enable this 'feature' in a Windows domain.

The other option is to consider using device certificates instead of username/password based credentials with an enrolment process to sidestep the issue with a better scheme, look at things like Aerohive's ID Manager and CloudPath's XpressConnect, the latter being more full featured but significantly more expensive.

Regards,

Nick
(Edited)
Photo of Adrian Jezierski

Adrian Jezierski

  • 2 Posts
  • 0 Reply Likes
Nick,
The password policy is not the issue here...we've got that covered. It's when the user changes there password at the required time, they forget all the places and devices they have to update there passwords to. We as admins don't have this problem, because we live and breath this stuff. But with the common user, it goes in one ear and out the other, and the cycle repeats itself every XX days.
As you precluded, I'm looking to implement a certificate instead of un/pw. I would like to use the resources that I already have in my inventory. Currently running the radius on 08r2 with ADCS, NP, and IIS. I just need help with making the required cert, and enforcing mobile devices to only authenticate to the ssid with the issued cert. I'm using McAfee's EMM server with EPO for mobile device management, but I don't think that it plays with the radius server.
If anyone can point me to some good blogs of tutorials, regarding certificate based authentication setups would be greatly appreciated.