Expired Active Directory Passwords & Wireless Authentication

Phil Mayers p.mayers at imperial.ac.uk
Wed Oct 10 10:37:28 CEST 2012

On 10/10/2012 12:31 AM, Jason Agress wrote:
> Hi all,
> We're currently using Microsoft IAS for RADIUS on our Cisco managed
> wireless network. We do wireless logon on our clients, which requires
> the user to first authenticate to RADIUS to initiate the wireless
> connection, then authenticate against Active Directory to complete the
> login process.
> The problem we run into is when a user's password expires and RADIUS
> authentication is unsuccessful; since the wireless connection cannot be
> made, AD cannot be contacted to authenticate the user and, ideally,
> prompt to change the password.
> I've read lots about this problem with FreeRADIUS and have seen some
> implied solutions, but nothing concrete. So here's my question: With
> FreeRADIUS, is there a way to allow successful RADIUS authentication
> with an expired password?

You can't do that, no. Successful auth against AD requires AD to 
cooperate, and it won't do that if the password has expired - but see 
right at the very end.

As Alan says, you can instead do MSCHAP password changes with the 
"master" branch of FreeRADIUS and a client that supports it. But TBH I'm 
surprised this isn't working with IAS.

What software are you running on the clients? Any non-standard supplicants?

More information about the Freeradius-Users mailing list