Expired Active Directory Passwords & Wireless Authentication

Phil Mayers p.mayers at imperial.ac.uk
Wed Oct 10 10:50:15 CEST 2012

On 10/10/2012 03:21 AM, Jason Agress wrote:
> Will that allow successful RADIUS authentication - and, therefore
> wireless access - before the password change is initiated? Because our
> clients are Macs that won't prompt for password change until after they
> are connected to the wireless and authenticating against AD.

Ah. Then no, mschap password changes won't help. FreeRADIUS just calls 
out to AD to auth users. If AD refuses to auth because the password is 
expired, the only thing you can do is a password change, which requires 
client support.

Since you're using Macs, you do have one option - change your EAP method 
to be EAP-TTLS/PAP. PAP, or methods wrapping PAP, are the only auth 
types you can "force" an accept on. Other auth types use 
challenge/response methods that require both side to prove to each other 
that they know the credentials.

To implement this, you'd:

  1. Install FreeRADIUS
  2. Get EAP working with a local user
  3. Get EAP working with AD users via Samba

Everything up to this point is documented - see the wiki or 
deployingradius.com. Once you've got that far, you need to setup two things:

  * TTLS
  * A script to auth PAP against AD, wrapping ntlm_auth

The idea is that the script wrapping ntlm_auth will, if ntlm_auth fails, 
check for "expired" and force a success.

Anyway - if you're willing to move from PEAP to TTLS, get the basics 
working then if you need advice, ask here again - people will be glad to 
help. It's relatively straightforward, but all the pieces might not be 
documented in obvious places.

More information about the Freeradius-Users mailing list