Re: [WIRELESS-LAN] ISE Dynamic VLAN redirect with single eduroam WLAN
Hi Sean, We have a similar setup here, but with WiSM2/9800s. We're also using ISE 2.6 & AD. I'd be happy to share our notes with you and/or do a Zoom and show you our policies & configuration. -- Jesse Thomas jtho...@hamilton.edu Hamilton College Network Services On Wed, Jul 7, 2021 at 12:52 PM Gray, Sean wrote: > Hi Everyone, > > > > We are looking to amalgamate our 3 dot1x WLANs (employees/student/eduroam) > into a single WLAN (eduroam). Behind the scenes we still need to > authenticate and route clients to their respective network segment. So to > achieve this we need to implement dynamic vlan redirects behind the scenes. > > > > Eduroam users from other institutions will be sent out to eduroam to be > handled appropriately > > > > Authentication will be handled by ISE cluster, running 2.6.0.156 > > WLC – 5520 (pair) running 8.8.130.0 > > > > The process, from a high level should look something like this > >- Staff/faculty will connect to our new single WLAN, namely Eduroam >- They will be caught by the appropriate policy and authenticated >against AD, validating that they are staff/faculty >- Now they will be redirected to the appropriate VLAN > > > >- Student will follow the same process, but will be validated that >they are a student, and redirected to a different VLAN > > > >- All others (externals) will be sent to an external RADIUS server for >auth and then redirected to yet another different VLAN. > > > > Currently unique policies exist for each of these processes, without the > added complexities of the VLAN redirect. So my mission is to combine these, > filtering each client to their auth point, and then upon receiving the > authorization, assign the appropriate vlan tag, for IP assignment, prior to > them getting on-net. > > > > I’ve been unable to find any meaningful documentation around how to handle > internal vs external radius redirection in this scenario. > > > > So has anyone done this, and are they able to share their process, > inclusive of vlan redirect? > > > > Thanks > > > > Sean > > > > *Sean Gray* | B.Sc (Hons) > > Voice, Collaboration & Wireless Network Analyst > > ITS, University of Lethbridge > > > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Lead time for Wi-Fi gear?
Hi Everyone, We ordered a few hundred Cisco 9105AXW APs about six weeks ago and were pleasantly surprised when they arrived about three weeks later (expected lead time was two months). Other equipment (non-Wi-Fi) has been taking much longer. -- Jesse Thomas Hamilton College Network Services 315-859-4211 On Thu, May 20, 2021 at 11:19 AM Hales, David wrote: > We ordered some Extreme/Aerohive gear about 6 weeks ago and got half > immediately and the other half showed up last week. > > > > *David Hales* > > *Network Systems Administrator* > > > > Information Technology Services > > Tennessee Tech University > > 1010 N. Peachtree Av., CLEM117 > > Cookeville, TN 38505 > > *P:* 931-372-3983 > > *E: *dha...@tntech.edu > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Mike Atkins > *Sent:* Thursday, May 20, 2021 9:24 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* [WIRELESS-LAN] Lead time for Wi-Fi gear? > > > > *External Email Warning* > > *This email originated from outside the university. Please use caution > when opening attachments, clicking links, or responding to requests.* > -- > > What's the word on lead time for your Wi-Fi gear? We are primarily Cisco > but have some Aruba and see ship times six months out. Is that what > everyone else is seeing? I know some Meraki gear can be shipped within a > week or so. I just wanted to get a feel from the group as to what they > hear on the street. > > > > > > > > > > > > > > > > > -- > > > > > > > > > > *Mike Atkins * > > Infrastructure Architect > > Office of Information Technology > > University of Notre Dame > > Phone: 574-631-7210 > > > > > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Cdhales%40TNTECH.EDU%7Ce06f5773cc91413e326508d91b9afc55%7C66fecaf83dc04d2cb8b8eff0ddea46f0%7C1%7C0%7C637571174764871147%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=t5xbwRXDCWodhPFSNIAX2xiKukrGIGlrIacuhKVcHS4%3D=0> > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Cisco WLC 9800 Gotchas
Hi Eric and Nick, I do not believe the traditional templates work for APs on the 9800 platform (we make heavy use of them for our AireOS hardware). I did give it a try and it returns a status of "Not Applicable", and the settings for the LAN ports are not changed. That said, the behavior we are experiencing could also be related to an SNMP bug between 17.3.2a and Prime. This is currently preventing us from using Prime to change names on these APs as well. In Prime 3.8 there is a new section: Menu > Configuration > Cisco Catalyst 9800 Configuration where you can create and deploy tags & profiles (matching what's on the WLC), but the trouble we've found is that there is no way to *enable* the LAN ports in this manner—either via Prime or directly on the WLC using tags/profiles. We have created an RLAN Profile and RLAN Policy to configure the basic settings, security, VLAN mapping, PoE, etc. and these all work as expected, but once this configuration is applied, the ports remain in a disabled state, and we've have to manually enable them on each AP. We have confirmed this behavior with TAC and our regional Cisco SE and are in the process of filing an enhancement request. @Eric - would you be willing to share more detail on or off the list regarding "CSV uploads of MAC-to-AP name assignments"? If I am understanding this correctly, it may be something useful in our deployment workflow. Thanks, -- Jesse On Thu, Dec 10, 2020 at 5:36 PM Ciesinski, Nick wrote: > Are you talking about enabling the LAN ports from Prime or on the WLC > itself? On the WLC itself the LAN ports are configured via the policy tag > configuration in the RLAN-POLICY map section where you assign a RLAN to > each port. That policy tag then needs to be applied to the APs. > > For applying tags I’ve personally moved away from having Prime statically > assign APs tags like I used to do with AP groups in AirOS and instead have > written regex rules on the WLC to automatically apply the tag based on the > AP name. > > Nick > > On Dec 10, 2020, at 11:43 AM, Jesse Thomas wrote: > > *EXTERNAL EMAIL* > Hi Everyone, > > We are boldly moving forward with a deployment of two 9800-40s (HA pair) > and about 400 of the new 9105AXW access points. We have encountered a > couple of minor issues thus far and I am curious if anyone in the group has > also experienced them and perhaps has some recommendations for workarounds. > > 1. Oddly, there does not appear to be a way to enable the LAN ports on the > access points via a policy or tag within the RLAN configuration. We have > confirmed this behavior with TAC and filed for an enhancement request. Our > current plan is to export a list of all APs and then do a bulk > configuration via the CLI. > > 2. We intend to manage this new setup via Prime Infrastructure and > potentially move to DNAC once we retire our older equipment that is not > supported on the new platform. However, there does not seem to be a > straightforward way to apply existing tags/policies created on the WLC to > APs within Prime, and documentation is sparse in this area. > > Thanks for any insights you can provide on these topics. > > Regards, > > > -- > Jesse Thomas > Network & Systems Administrator > Hamilton College > 315-859-4211 > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Cisco WLC 9800 Gotchas
Hi Everyone, We are boldly moving forward with a deployment of two 9800-40s (HA pair) and about 400 of the new 9105AXW access points. We have encountered a couple of minor issues thus far and I am curious if anyone in the group has also experienced them and perhaps has some recommendations for workarounds. 1. Oddly, there does not appear to be a way to enable the LAN ports on the access points via a policy or tag within the RLAN configuration. We have confirmed this behavior with TAC and filed for an enhancement request. Our current plan is to export a list of all APs and then do a bulk configuration via the CLI. 2. We intend to manage this new setup via Prime Infrastructure and potentially move to DNAC once we retire our older equipment that is not supported on the new platform. However, there does not seem to be a straightforward way to apply existing tags/policies created on the WLC to APs within Prime, and documentation is sparse in this area. Thanks for any insights you can provide on these topics. Regards, -- Jesse Thomas Network & Systems Administrator Hamilton College 315-859-4211 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] Weak Security
+1 for us as well - we disabled WPA and TKIP many years ago and have not had any issues with client connectivity. -- Jesse Thomas Network & Systems Administrator Hamilton College 315-859-4211 On Thu, Dec 3, 2020 at 9:38 AM Smith, Nayef wrote: > +1 to Chuck's comment. No issues here. > > Nayef Z. Smith | *Emory LITS* *Network Services* | Suite 1700 | 1762 > Clifton Road | Atlanta GA 30322 | Voice: 404-727-6019 > -- > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> on behalf of Enfield, Chuck < > cae...@psu.edu> > *Sent:* Tuesday, December 1, 2020 7:33 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject:* [External] Re: [WIRELESS-LAN] Weak Security > > > We stopped supporting TKIP years ago. No issues that I’m aware of. > > > > Chuck Enfield > > Manager, Wireless & Cellular > > Penn State IT > > 814-863-8715 > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Entwistle, Bruce > *Sent:* Tuesday, December 1, 2020 7:14 PM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* [WIRELESS-LAN] Weak Security > > > > Apple devices that are updating to IOS 14 are now reporting that wireless > security is weak. We are currently using a combination of WPA/TKIP and > WPA2/AES for security, but are considering the move to WPA2/AES only. I > was looking to see what others have done and what challenges you faced in > making these changes. > > > > https://discussions.apple.com/thread/251805737 > <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdiscussions.apple.com%2Fthread%2F251805737=04%7C01%7Ccae104%40PSU.EDU%7C6c35cd8bde074a78f09c08d896572965%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C1%7C637424648389657921%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=J4UUgLhzUijFxAeqdwMmllBh2v7ldMkVX11EUwhw7fo%3D=0> > > > > Thank you > > Bruce Entwistle > > Network Manager > > University of Redlands > > > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity=04%7C01%7Ccae104%40PSU.EDU%7C6c35cd8bde074a78f09c08d896572965%7C7cf48d453ddb4389a9c1c115526eb52e%7C0%7C1%7C637424648389667917%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000=%2FMxKQJqWkI2g3XWWi507GiShJqR%2FjjThb8Ygr5UgjJs%3D=0> > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > -- > > This e-mail message (including any attachments) is for the sole use of > the intended recipient(s) and may contain confidential and privileged > information. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, distribution > or copying of this message (including any attachments) is strictly > prohibited. > > If you have received this message in error, please contact > the sender by reply e-mail message and destroy all copies of the > original message (including attachments). > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] Transitioning from older controller to new controller
Same here - we're moving from WiSM2 to 9840. Thanks, -- Jesse Thomas Network & Systems Administrator Hamilton College 315-859-4211 On Fri, Oct 9, 2020 at 10:44 AM Slone, Kelly wrote: > I would also like to be included. > > > > Thank you, > > > > *Kelly Slone, **B.S., MCP* > > IT Infrastructure Engineer > > Marshall University Information Technology > > Drinko Library DL 436 > > Office: 304-696-6109 > > Helpdesk: 304-696-3200 > > *slon...@marshall.edu * > > > > > > *From: *The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Date: *Friday, October 9, 2020 at 10:30 AM > *To: *WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> > *Subject: *Re: [WIRELESS-LAN] Transitioning from older controller to new > controller > > Sounds like I might need to set up a general session. I'll catch Don and > Abbas early next week, but if there's other interest, I'm happy to do a > wider discussion after a bit of preparation. I'll send out an invite for > signups when I'm ready next week. > > > > On Fri, Oct 9, 2020 at 7:27 AM Floyd, Brad wrote: > > Mike, > > Per our recent conversation about this topic, yes please add me to the > invite list. > > Thanks, > > Brad > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv [mailto: > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Mike Atkins > *Sent:* Friday, October 09, 2020 9:08 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [WIRELESS-LAN] Transitioning from older controller to new > controller > > > > *[EXTERNAL SENDER]* > > > I’ve reached out to a few schools individually on this very topic. Would > the group want to do a Zoom session on this? > > > > > > > > > > > > *Mike Atkins * > > Network Engineer > > Office of Information Technology > > University of Notre Dame > > > > *From:* The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> *On Behalf Of *Sullivan, Don > *Sent:* Friday, October 9, 2020 9:01 AM > *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > *Subject:* [WIRELESS-LAN] Transitioning from older controller to new > controller > > > > We are in the process of upgrading our wireless from a Cisco 8510 to a > Cisco 9800-80. I wanted to query those on this list who have already gone > through this process about any lessons learned that would have been nice to > know before transitioning your existing AP inventory that is compliant with > the new hardware. I am building the configuration for the 9800 from scratch > and it has been a challenge learning the new concepts for configuring this > type of controller, so I was hoping to see what others have learned from > the experience. Any thoughts would be appreciated. > > > > *Don Sullivan* > > *Network Administrator* > > *Technology Services* > > > > 205-726-2111 <+1205-726-2111> | office > > dsulli...@samford.edu > > LinkedIn <http://linkedin.com/in/donaldasullivan> > > www.samford.edu > <https://linkprotect.cudasvc.com/url?a=http%3a%2f%2fwww.samford.edu=E,1,I2ogcaEWhyAWbSyyzh5EvDozbcmyAre1BmFhiV8jVJb4kuysGbQDi0kuk8CkMVqZwzdVsZu9mCfNX51eDp_ssxegOMX0QNi6Dg3nOVrobw0,=1> > > 800 Lakeshore Drive > Birmingham, AL 35229 > <https://maps.google.com/maps?q=800+Lakeshore+Drive,+Birmingham,+AL+35229,+US> > > > > [image: Samford Samford University Logo] > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity=E,1,Ujs475imC45JeiZtd2yqAwzgLBLzGRGkwLueAC793nI7GqYiltcEjSNWjam6cDyLyhu0StFV6vwogjGMcZ0_jzOwX3RZNBnfDnFsU6IalBZsops,=1> > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > <https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.educause.edu%2fcommunity=E,1,1mU9CNRyMvz1xJDpKZ2b3rzVbCQnfzhILz3Ml2uUjJWB4rXVwcvet1s5GWwSCr4jMHMyAOQBaLNaP2_OfEybK-AyILfatSSjXfiJHwvKB3FvJYpyEfYEHZE6=1> > > ** > Replies to EDUCAUSE C
Re: [WIRELESS-LAN] [External] Re: [WIRELESS-LAN] AP Management Network Size
Hi Everyone, Thanks for all the responses thus far—this community is always extremely helpful. I should add that we have L2 connectivity in each location and that all APs run in Local Mode (tunneled back to controller), so aside from DHCP at boot, there would be very little broadcast traffic. @Bruce - I like your idea of having them on the building VLANs. We do that for some now and I had not considered that for all of them. However, we are also looking at Cisco's DNA for management, and I think that would be easier to manage if the APs were on a dedicated set of networks. We moved our switches to this model (dedicated management network) starting last year, and it has worked well for us. To ease management, my preference would be for a pair of /22s, or even one /21, but I worry a little about that many APs in one segment. Has anyone gone "too big", and had issues as a result? Thank you again, -- Jesse Thomas Network & Systems Administrator Hamilton College 315-859-4211 On Thu, Jun 18, 2020 at 2:46 PM Adam T. Ferrero wrote: > > We have ~6k APs and place them on AP mgmt. subnets of /22. We tunnel > all traffic back to controllers so the broadcast isn't significant (no user > broadcast on the AP mgmt. vlan). The weakest devices we have are VoIP > phones where 200 broadcast packets per second can hurt them but broadcast > pps above 50 is abnormal here. > > Adam > > -Original Message- > From: The EDUCAUSE Wireless Issues Community Group Listserv < > WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Curtis, Bruce > Sent: Thursday, June 18, 2020 2:19 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [External] Re: [WIRELESS-LAN] AP Management Network Size > > We take a more Zero Trust approach and don’t put APs on a separate Vlan. > > The APs are on the same Vlan as other devices in the building.. > > No problems in more than 14 years. > > We do give them private IPv4 numbers but they get public IPv6 numbers. > > > On Jun 17, 2020, at 2:56 PM, Jesse Thomas wrote: > > > > Hi Everyone, > > > > We are preparing to replace our existing Cisco WiSM2 controllers with > 9800s. Part of this upgrade will include redesigning our AP management > network(s)—currently, we have about 500 APs spread across 3 different > /24's. > > > > As we move towards an in-room design in our residence halls and provide > denser 5GHz coverage throughout campus in the coming years, we expect the > number of APs to grow by quite a bit. > > > > I am interested in how others have sized your AP management networks? I > have not found any concrete guidance from Cisco and various recommendations > elsewhere range from /25 to /21. Larger ranges would of course be easier to > manage, but at the same time we don't want to introduce issues related to > broadcast traffic. > > > > Thanks for any input that you can provide. > > > > Regards, > > > > > > -- > > Jesse Thomas > > Network & Systems Administrator > > Hamilton College > > 315-859-4211 > > ** > > Replies to EDUCAUSE Community Group emails are sent to the entire > > community list. If you want to reply only to the person who sent the > > message, copy and paste their email address and forward the email > > reply. Additional participation and subscription information can be > > found at https://www.educause.edu/community > > > > Bruce Curtis > Network Engineer / Information Technology NORTH DAKOTA STATE UNIVERSITY > phone: 701.231.8527 > bruce.cur...@ndsu.edu > > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > > ** > Replies to EDUCAUSE Community Group emails are sent to the entire > community list. If you want to reply only to the person who sent the > message, copy and paste their email address and forward the email reply. > Additional participation and subscription information can be found at > https://www.educause.edu/community > ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
AP Management Network Size
Hi Everyone, We are preparing to replace our existing Cisco WiSM2 controllers with 9800s. Part of this upgrade will include redesigning our AP management network(s)—currently, we have about 500 APs spread across 3 different /24's. As we move towards an in-room design in our residence halls and provide denser 5GHz coverage throughout campus in the coming years, we expect the number of APs to grow by quite a bit. I am interested in how others have sized your AP management networks? I have not found any concrete guidance from Cisco and various recommendations elsewhere range from /25 to /21. Larger ranges would of course be easier to manage, but at the same time we don't want to introduce issues related to broadcast traffic. Thanks for any input that you can provide. Regards, -- Jesse Thomas Network & Systems Administrator Hamilton College 315-859-4211 ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Account Lockouts after PW Change
Hi Everyone We recently rolled out a new password policy which includes an account lockout after a number of failed authentications. We are experiencing a fair amount of lockouts after users change their password, but fail to update their wireless devices with the new credentials. The devices have the old password cached and keep trying to connect to wireless, ultimately resulting in a locked account. We use Cisco ACS 5.5 for RADIUS against MS AD 2008R2 (PEAP w/ MS-CHAPv2). Server 2003 SP1+ has a feature called Password history check (N-2) that isn't supposed to increment the badPwdCount if the password is the same as one of the last two entries that are in the password history. (https://technet.microsoft.com/en-us/library/cc780271%28v=ws.10%29.aspx?f=255MSPPError=-2147217396) This works as-expected with authentications from Windows and Mac domain-joined desktops (logins, connecting to shared drives, etc.), but does NOT work with authentications coming from RADIUS. Unfortunately there is precious little info available from MS regarding the feature (requirements and/or configuration) and cases opened with both MS and Cisco have not provided any additional information. I'm wondering if anyone here has gotten this to work with RADIUS, Cisco ACS or otherwise, so we know if we should continue to pursue this or not? Thanks in advance, -- Jesse Thomas Network Systems Administrator Hamilton College 315-859-4211 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.