I wanted to add that if you're using AD as your authentication source, look at implementing "Password history check (N-2)" With Password history check (N-2), as long as the password being used is one of the last two in the history file, the bad password count is not incremented... thus, no account lockout when using an old, but valid password. That is, while the user can't authenticate using the old password (it still fails as an incorrect password), account lookout doesn't occur. It works around the problem where a user changes their password on say their desktop, and then their mobile device instantly locks their account as it attempts to auth on WPA. Jeff
>>> On Tuesday, November 08, 2011 at 6:55 AM, in message <[email protected]>, "Fleming, Tony" <[email protected]> wrote: Thank you for all of the responses. It appears several of you are not allowing the accounts to be locked-out and that would help our situation too. We also use radius which proxies AD for authentication. For those of you that are not allowing account lockout – is that done on a global level in your AD, or are you able to selectively prevent some authentication sources from locking-out the account (i.e. – don’t allow radius requests to lock out the account, however, allow workstation failures to lock out the account)? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Jack Vizelter Sent: Tuesday, November 08, 2011 7:15 AM To: [email protected] Subject: Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password changes As per our networking group, we’re using a windows radius server which is our proxy for AD authentication to our secure wireless network. -jack From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of John Hayward Sent: Monday, November 07, 2011 9:05 PM To: [email protected] Subject: **PHISHING?** Re: WPA2-Enterprise - account lockouts and password changes what radius server do you use? We had a similar issue with freeradius serever using Novell NDSldap authetication. The current freeradius server has this issue fixed. johnh... From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] on behalf of Jack Vizelter [[email protected]] Sent: Monday, November 07, 2011 5:42 PM To: [email protected] Subject: Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password changes We use WPA2 Enterprise on our wireless network and we've seen OSX connectivity issues to our wireless network that authenticates against our LDAP/AD when using WPA2 Ent. When a user authenticates the first time and saves the password in the wifi profile and keychain and then changes their LDAP/AD password, the wireless profile does not always prompt to enter a new password. This causes the wireless not to connect. And when it does, the airport has multiple wifi profiles for the same SSID causing issues. What we've found that works (at least thus far) is to both delete duplicate wireless profiles and delete the keychain password. Then update manually the password only for the remaining wireless profile with the new password. Unfortunately, we require password changes annually. We do enforce LDAP & AD password lockouts after several failed attempts, but they auto-unlock themselves after a fixed period. -jack On Nov 7, 2011, at 5:19 PM, Fleming, Tony wrote: Crew, We have had several complaints from our students about wireless trouble. We believe we have a couple issues going on: Account lockouts – Our students are allowed to register four devices on WiFi and the majority of our students using all of their registrations ( laptops/ipads/smartphones…) What we see are a lot of password failures resulting in account lockouts. If one of their four devices has a bad username and password combination stored in the WiFi profile, it just compounds the problem and creates a lot of confusion for our students. Sadly, these devices do not return a failure cause to the user and is interpreted as a bad signal or bad network. OSX and WPA2 – It is our observation that OSX has a continual history of WPA2 bugs. My questions to the group: How do you guys handle Account lockouts? Do your students interpret these issues as WiFi trouble? If so, how are you changing that perception? Have any of you abandoned 802.1x (PEAP) because of this issue? Do you see the same trouble with OSX and WPA2? ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
