Tony, We have the same problem here at UTK (6 months standard password change policy and 2 months for people with access to financial data) Moving to EAP-TLS could resolve the network access problem. We are investigating using MS PKI and EAP-TLS to go around this WPA2-enterprise problem. You will still end up with account lockouts from email authentications (especially when people have a device at home that didn't get updated as far as the password change) but at least not from network auth. (or you could use the PKI to authenticate email as well ;-)
BTW, to handle the account lockouts, we have increased the accepted rate of failures. Students are moving away from our WPA2-enterprise because of this issue (they fail once, blame it on Wi-Fi, then go to the MAC based authentication network). We definitely plan to move away from password based WPA2-enterprise in favor of certificate based WPA2-enterprise in a near future. Best, Philippe Hanset Univ. of TN www.eduroamus.org<http://www.eduroamus.org> On Nov 7, 2011, at 5:19 PM, Fleming, Tony wrote: Crew, We have had several complaints from our students about wireless trouble. We believe we have a couple issues going on: Account lockouts – Our students are allowed to register four devices on WiFi and the majority of our students using all of their registrations ( laptops/ipads/smartphones…) What we see are a lot of password failures resulting in account lockouts. If one of their four devices has a bad username and password combination stored in the WiFi profile, it just compounds the problem and creates a lot of confusion for our students. Sadly, these devices do not return a failure cause to the user and is interpreted as a bad signal or bad network. OSX and WPA2 – It is our observation that OSX has a continual history of WPA2 bugs. My questions to the group: How do you guys handle Account lockouts? Do your students interpret these issues as WiFi trouble? If so, how are you changing that perception? Have any of you abandoned 802.1x (PEAP) because of this issue? Do you see the same trouble with OSX and WPA2? ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found athttp://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
