Expired Active Directory Passwords & Wireless Authentication
Hi all, We're currently using Microsoft IAS for RADIUS on our Cisco managed wireless network. We do wireless logon on our clients, which requires the user to first authenticate to RADIUS to initiate the wireless connection, then authenticate against Active Directory to complete the login process. The problem we run into is when a user's password expires and RADIUS authentication is unsuccessful; since the wireless connection cannot be made, AD cannot be contacted to authenticate the user and, ideally, prompt to change the password. I've read lots about this problem with FreeRADIUS and have seen some implied solutions, but nothing concrete. So here's my question: With FreeRADIUS, is there a way to allow successful RADIUS authentication with an expired password? This way the AD login process can commence and the user can be prompted to change his/her password wirelessly. Thanks in advance!
Jason Agress wrote:
I've read lots about this problem with FreeRADIUS and have seen some implied solutions, but nothing concrete. So here's my question: With FreeRADIUS, is there a way to allow successful RADIUS authentication with an expired password? This way the AD login process can commence and the user can be prompted to change his/her password wirelessly.
Use the git "master" branch. It supports changing passwords via PEAP. See raddb/mods-available/mschap Alan DeKok.
On 10/10/2012 12:31 AM, Jason Agress wrote:
Hi all,
We're currently using Microsoft IAS for RADIUS on our Cisco managed wireless network. We do wireless logon on our clients, which requires the user to first authenticate to RADIUS to initiate the wireless connection, then authenticate against Active Directory to complete the login process.
The problem we run into is when a user's password expires and RADIUS authentication is unsuccessful; since the wireless connection cannot be made, AD cannot be contacted to authenticate the user and, ideally, prompt to change the password.
I've read lots about this problem with FreeRADIUS and have seen some implied solutions, but nothing concrete. So here's my question: With FreeRADIUS, is there a way to allow successful RADIUS authentication with an expired password?
You can't do that, no. Successful auth against AD requires AD to cooperate, and it won't do that if the password has expired - but see right at the very end. As Alan says, you can instead do MSCHAP password changes with the "master" branch of FreeRADIUS and a client that supports it. But TBH I'm surprised this isn't working with IAS. What software are you running on the clients? Any non-standard supplicants?
participants (3)
-
Alan DeKok -
Jason Agress -
Phil Mayers