On 10/10/2012 12:31 AM, Jason Agress wrote:
Hi all,
We're currently using Microsoft IAS for RADIUS on our Cisco managed wireless network. We do wireless logon on our clients, which requires the user to first authenticate to RADIUS to initiate the wireless connection, then authenticate against Active Directory to complete the login process.
The problem we run into is when a user's password expires and RADIUS authentication is unsuccessful; since the wireless connection cannot be made, AD cannot be contacted to authenticate the user and, ideally, prompt to change the password.
I've read lots about this problem with FreeRADIUS and have seen some implied solutions, but nothing concrete. So here's my question: With FreeRADIUS, is there a way to allow successful RADIUS authentication with an expired password?
You can't do that, no. Successful auth against AD requires AD to cooperate, and it won't do that if the password has expired - but see right at the very end. As Alan says, you can instead do MSCHAP password changes with the "master" branch of FreeRADIUS and a client that supports it. But TBH I'm surprised this isn't working with IAS. What software are you running on the clients? Any non-standard supplicants?