I saw this on this list the day after my account had been locked, as always happens upon a pw change (grrrr). (Thanks to however posted it). I suggested we turn this bit on at Indiana. The ADS people have tested it for a month and are happy with it. Security OK'd it today. The identity people identified two minor downsides, but agree the benefits significantly outweigh the negatives. Their concerns:
1. With service accounts, changing passwords can be pretty tricky because you have to give the new password so many places. As a result, the usual fallback is to revert to the old password. You can still do that here, you just have to go A->B->C->A instead of A->B->A. 2) If we ever bring another service online and start doing password syncing again (like we did when we had ADS/Kerberos) then failed syncs get a little trickier. I've told the head of support she owes me $10,000 but I have yet to see a check. Tom Zeller Indiana University [email protected] From: "Hurt,Trenton William" <[email protected]<mailto:[email protected]>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> Date: Fri, 9 Dec 2011 15:21:05 +0000 To: <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password changes I know this is a month old, but I have a question regarding the password history check setting. I have suggested this to my AD team but they aren’t familiar with the setting and want to test for months, etc. I really am pushing for them to make the change so that users will get relief from the locking accounts. Are there any adverse effects that anyone knows of once this setting is turned on? Thanks for any feedback and big thanks to Jeff for this suggestion. Thanks Trent Trenton Hurt, CWNA, CCNP(W), CCNA(W), CCNA(V), CCNA(R/S) Wireless Network Administrator University of Louisville Phone (502) 852-1513 FAX (502) 852-1424 [Description: Description: C:\Users\twhurt01\AppData\Local\Temp\XPgrpwise\IMAGE_19.BMP] From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Jeffrey Sessler Sent: Tuesday, November 08, 2011 6:45 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password changes I should have added: Assuming that you have an account lockout policy defined, all you should need to do is to get this working is to enable/define a password history policy. Once defined, the password history check (n-2) should then work. Jeff >>> On Tuesday, November 08, 2011 at 11:29 AM, in message >>> <[email protected]<mailto:[email protected]>>, >>> Jeffrey Sessler <[email protected]<mailto:[email protected]>> >>> wrote: I wanted to add that if you're using AD as your authentication source, look at implementing "Password history check (N-2)" With Password history check (N-2), as long as the password being used is one of the last two in the history file, the bad password count is not incremented... thus, no account lockout when using an old, but valid password. That is, while the user can't authenticate using the old password (it still fails as an incorrect password), account lookout doesn't occur. It works around the problem where a user changes their password on say their desktop, and then their mobile device instantly locks their account as it attempts to auth on WPA. Jeff >>> On Tuesday, November 08, 2011 at 6:55 AM, in message >>> <[email protected]<mailto:[email protected]>>, >>> "Fleming, Tony" <[email protected]<mailto:[email protected]>> wrote: Thank you for all of the responses. It appears several of you are not allowing the accounts to be locked-out and that would help our situation too. We also use radius which proxies AD for authentication. For those of you that are not allowing account lockout – is that done on a global level in your AD, or are you able to selectively prevent some authentication sources from locking-out the account (i.e. – don’t allow radius requests to lock out the account, however, allow workstation failures to lock out the account)? From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]]<mailto:[mailto:[email protected]]>On Behalf Of Jack Vizelter Sent: Tuesday, November 08, 2011 7:15 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password changes As per our networking group, we’re using a windows radius server which is our proxy for AD authentication to our secure wireless network. -jack From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]]<mailto:[mailto:[email protected]]>On Behalf Of John Hayward Sent: Monday, November 07, 2011 9:05 PM To: [email protected]<mailto:[email protected]> Subject: **PHISHING?** Re: WPA2-Enterprise - account lockouts and password changes what radius server do you use? We had a similar issue with freeradius serever using Novell NDSldap authetication. The current freeradius server has this issue fixed. johnh... ________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]<mailto:[email protected]>] on behalf of Jack Vizelter [[email protected]<mailto:[email protected]>] Sent: Monday, November 07, 2011 5:42 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] WPA2-Enterprise - account lockouts and password changes We use WPA2 Enterprise on our wireless network and we've seen OSX connectivity issues to our wireless network that authenticates against our LDAP/AD when using WPA2 Ent. When a user authenticates the first time and saves the password in the wifi profile and keychain and then changes their LDAP/AD password, the wireless profile does not always prompt to enter a new password. This causes the wireless not to connect. And when it does, the airport has multiple wifi profiles for the same SSID causing issues. What we've found that works (at least thus far) is to both delete duplicate wireless profiles and delete the keychain password. Then update manually the password only for the remaining wireless profile with the new password. Unfortunately, we require password changes annually. We do enforce LDAP & AD password lockouts after several failed attempts, but they auto-unlock themselves after a fixed period. -jack On Nov 7, 2011, at 5:19 PM, Fleming, Tony wrote: Crew, We have had several complaints from our students about wireless trouble. We believe we have a couple issues going on: Account lockouts – Our students are allowed to register four devices on WiFi and the majority of our students using all of their registrations ( laptops/ipads/smartphones…) What we see are a lot of password failures resulting in account lockouts. If one of their four devices has a bad username and password combination stored in the WiFi profile, it just compounds the problem and creates a lot of confusion for our students. Sadly, these devices do not return a failure cause to the user and is interpreted as a bad signal or bad network. OSX and WPA2 – It is our observation that OSX has a continual history of WPA2 bugs. My questions to the group: How do you guys handle Account lockouts? Do your students interpret these issues as WiFi trouble? If so, how are you changing that perception? Have any of you abandoned 802.1x (PEAP) because of this issue? Do you see the same trouble with OSX and WPA2? ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
<<inline: image001.png>>
