IMO, the best solution is to stop using EAP-PEAP and start using EAP-TLS instead. With per-device certificates, you never have to worry again about account lockouts caused by wireless devices, and you can control access per-device rather than per-user.
On Fri, Apr 17, 2015 at 08:28:26AM -0400, Jesse Thomas wrote: > Hi Everyone > > We recently rolled out a new password policy which includes an > account lockout after a number of failed authentications. We are > experiencing a fair amount of lockouts after users change their > password, but fail to update their wireless devices with the new > credentials. The devices have the "old" password cached and keep > trying to connect to wireless, ultimately resulting in a locked > account. > > We use Cisco ACS 5.5 for RADIUS against MS AD 2008R2 (PEAP w/ > MS-CHAPv2). Server 2003 SP1+ has a feature called "Password history > check (N-2)" that isn't supposed to increment the badPwdCount "if > the password is the same as one of the last two entries that are in > the password history". > > (https://technet.microsoft.com/en-us/library/cc780271%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) > > This works as-expected with authentications from Windows and Mac > domain-joined desktops (logins, connecting to shared drives, etc.), > but does NOT work with authentications coming from RADIUS. > > Unfortunately there is precious little info available from MS > regarding the feature (requirements and/or configuration) and cases > opened with both MS and Cisco have not provided any additional > information. > > I'm wondering if anyone here has gotten this to work with RADIUS, > Cisco ACS or otherwise, so we know if we should continue to pursue > this or not? > > Thanks in advance, > > > -- > Jesse Thomas > Network & Systems Administrator > Hamilton College > 315-859-4211 > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
