Hi Everyone
We recently rolled out a new password policy which includes an account
lockout after a number of failed authentications. We are experiencing a
fair amount of lockouts after users change their password, but fail to
update their wireless devices with the new credentials. The devices have
the "old" password cached and keep trying to connect to wireless,
ultimately resulting in a locked account.
We use Cisco ACS 5.5 for RADIUS against MS AD 2008R2 (PEAP w/
MS-CHAPv2). Server 2003 SP1+ has a feature called "Password history
check (N-2)" that isn't supposed to increment the badPwdCount "if the
password is the same as one of the last two entries that are in the
password history".
(https://technet.microsoft.com/en-us/library/cc780271%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396)
This works as-expected with authentications from Windows and Mac
domain-joined desktops (logins, connecting to shared drives, etc.), but
does NOT work with authentications coming from RADIUS.
Unfortunately there is precious little info available from MS regarding
the feature (requirements and/or configuration) and cases opened with
both MS and Cisco have not provided any additional information.
I'm wondering if anyone here has gotten this to work with RADIUS, Cisco
ACS or otherwise, so we know if we should continue to pursue this or not?
Thanks in advance,
--
Jesse Thomas
Network & Systems Administrator
Hamilton College
315-859-4211
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
