Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
591
Views
5
Helpful
5
Replies

ACS 3.3 and Windows Password Expiry

nigelb
Level 1
Level 1

‎06-27-2008 02:00 AM - edited ‎03-10-2019 03:56 PM

Hi

We have a private DSL-based Home worker WAN solution. The users connect via wireless to their router and use PEAP to authenticate to central ACS 3.3 radius server.

The problem we have is that, because the laptop is not on the network until they have successfully authenticated, they logon to the laptop using cached credentials and don't actually authentiacte with the domain. Consequently, the users are not notified when their password is about to expire.

When their password has expired, they are prompted to change it during the wireless logon process, but this doesn't work. Subsequently, they have to travel to their local office to logon to the domain and hange their password.

The local routers are Netgear set for WPA-802.1x, the laptops are set for PEAP (EAP-MSCHAP v2), the Radius is ACS 3.3 authenticating to AD.

Any ideas will be gratefully received.

Thanks

Labels:
0 Helpful
5 Replies 5

Jagdeep Gambhir
Level 10
Level 10

‎06-27-2008 05:48 AM

Requirements for implementing the PEAP Windows password aging mechanism include:

The AAA client must support EAP.

Users must be in a Windows user database.

Users must be using a Microsoft PEAP client, such as Windows XP.

You must enable PEAP a n d mschapv 2 Authentication Configuration page within the System Configuration section.

You must enable PEAP password changes on the Windows Authentication Configuration page

Regards,

JG

Do rate helpful posts

nigelb
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-27-2008 07:28 AM

Thanks JG

So in my scenario, the AAA client is the Netgear router?

Regards

Nigel

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to nigelb

‎06-27-2008 08:17 AM

Nigel,

No aaa clients are wireless users. On netgear router make sure mschapv2 is enabled (if that options is there)

Regards,

~JG

0 Helpful

pornthip_k
Level 1
Level 1

‎06-29-2008 06:56 PM

I think you should set machine authentication, too.

This may help you. :)

0 Helpful

nigelb
Level 1
Level 1
In response to pornthip_k

‎06-30-2008 12:16 AM

Thanks for all your help, I'll let you know the outcome...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents