On 04/17/2015 08:28 AM, Jesse Thomas wrote: > Hi Everyone > > We recently rolled out a new password policy which includes an account > lockout after a number of failed authentications. We are experiencing a > fair amount of lockouts after users change their password, but fail to > update their wireless devices with the new credentials. The devices have > the "old" password cached and keep trying to connect to wireless, > ultimately resulting in a locked account. > > We use Cisco ACS 5.5 for RADIUS against MS AD 2008R2 (PEAP w/ > MS-CHAPv2). Server 2003 SP1+ has a feature called "Password history > check (N-2)" that isn't supposed to increment the badPwdCount "if the > password is the same as one of the last two entries that are in the > password history". > > (https://technet.microsoft.com/en-us/library/cc780271%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) > > > This works as-expected with authentications from Windows and Mac > domain-joined desktops (logins, connecting to shared drives, etc.), but > does NOT work with authentications coming from RADIUS. > > Unfortunately there is precious little info available from MS regarding > the feature (requirements and/or configuration) and cases opened with > both MS and Cisco have not provided any additional information. > > I'm wondering if anyone here has gotten this to work with RADIUS, Cisco > ACS or otherwise, so we know if we should continue to pursue this or not? > > Thanks in advance, > > > -- > Jesse Thomas > Network & Systems Administrator > Hamilton College > 315-859-4211 > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. >
With my Aruba setup, I got around this by blacklisting clients for 1 minute longer then the AD lockout timer and at one less authentication attempt then the AD account lock out. This handled the mobile devices with the old password problem. Mostly iOS and older Android kept banging away with the old account or with blank passwords. Blackberries gave up and disabled the profiles after failure to connect. EAP-TLS is also a good idea obviously. -- -James ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
signature.asc
Description: OpenPGP digital signature
