FR 1.1.7 + AD 2003 + LDAP
Phil Mayers
p.mayers at imperial.ac.uk
Wed Apr 9 11:38:42 CEST 2008
Charlie B wrote:
> Has no one else experienced this issue where reset password confuses
> WinXP? I really don't want to use IAS. Anyone ideas?
Let me get this straight: You have machines in the domain, users doing
domain logins, and wired 802.1x using the domain credentials. When you
change a users password, the username/password cached on the client is
no longer valid, and they fall off the network.
It's hard to see what else could happen; you've changed their password
and given the machine they're logged onto no way of knowing that. Why
don't you just let them change their password?
Very likely many resources would continue to be accessible because the
credential cache includes a valid kerberos TGT but that isn't used for
802.1x/MS-CHAP - it's the plain username/password.
Whatever happens, the client machine would have to prompt the user for
their new username/password.
Does this work with IAS? If so, it may be that there's an error code
which can be put in an MS-CHAP-Error attribute. However, very likely
Samba would have to generate the error code.
In short, I don't think it's going to work any time soon.
More information about the Freeradius-Users
mailing list