Thank you for all of the responses. It appears several of you are not allowing the accounts to be locked-out and that would help our situation too. We also use radius which proxies AD for authentication. For those of you that are not allowing account lockout - is that done on a global level in your AD, or are you able to selectively prevent some authentication sources from locking-out the account (i.e. - don't allow radius requests to lock out the account, however, allow workstation failures to lock out the account)?
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Jack Vizelter Sent: Tuesday, November 08, 2011 7:15 AM To: [email protected] Subject: Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password changes As per our networking group, we're using a windows radius server which is our proxy for AD authentication to our secure wireless network. -jack From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of John Hayward Sent: Monday, November 07, 2011 9:05 PM To: [email protected] Subject: **PHISHING?** Re: WPA2-Enterprise - account lockouts and password changes what radius server do you use? We had a similar issue with freeradius serever using Novell NDSldap authetication. The current freeradius server has this issue fixed. johnh... ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] on behalf of Jack Vizelter [[email protected]] Sent: Monday, November 07, 2011 5:42 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password changes We use WPA2 Enterprise on our wireless network and we've seen OSX connectivity issues to our wireless network that authenticates against our LDAP/AD when using WPA2 Ent. When a user authenticates the first time and saves the password in the wifi profile and keychain and then changes their LDAP/AD password, the wireless profile does not always prompt to enter a new password. This causes the wireless not to connect. And when it does, the airport has multiple wifi profiles for the same SSID causing issues. What we've found that works (at least thus far) is to both delete duplicate wireless profiles and delete the keychain password. Then update manually the password only for the remaining wireless profile with the new password. Unfortunately, we require password changes annually. We do enforce LDAP & AD password lockouts after several failed attempts, but they auto-unlock themselves after a fixed period. -jack On Nov 7, 2011, at 5:19 PM, Fleming, Tony wrote: Crew, We have had several complaints from our students about wireless trouble. We believe we have a couple issues going on: Account lockouts - Our students are allowed to register four devices on WiFi and the majority of our students using all of their registrations ( laptops/ipads/smartphones...) What we see are a lot of password failures resulting in account lockouts. If one of their four devices has a bad username and password combination stored in the WiFi profile, it just compounds the problem and creates a lot of confusion for our students. Sadly, these devices do not return a failure cause to the user and is interpreted as a bad signal or bad network. OSX and WPA2 - It is our observation that OSX has a continual history of WPA2 bugs. My questions to the group: How do you guys handle Account lockouts? Do your students interpret these issues as WiFi trouble? If so, how are you changing that perception? Have any of you abandoned 802.1x (PEAP) because of this issue? Do you see the same trouble with OSX and WPA2? ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
