NAC - Users not able to change their passwords via RADIUS and MSCHAPv2

Unanswered Question

My customer has an evironment with inline CAS for wireless-users and out-of-band CAS for wired users. The Wireless-controllers and Clean-access users authenticate with RADIUS and MSCHAPv2 to a Microsoft IAS 2003-server. When the users passwords expires there is no problem changing the password for the wireless-users, but the out-of-band users who only uses the Clean-Access agent the login fails with message: Wrong username or password. Does anyone know if it is possible to give the users the password-change dialog in the clean-access agent? Or is this a "mission impossible"?? Clean Access version is 4.1.3.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
smahbub Fri, 08/22/2008 - 06:05

It is important to provide secure passwords for the user accounts in Cisco NAC Appliance system, and to change them from time to time to maintain system security. The suite does not generally impose standards for the passwords you choose, but it is advised that you use strong passwords, that is, passwords with at least six characters, mixed letters and numbers, and so on. Strong passwords reduce the likelihood of a successful password guessing attack against your system.

This link may help:

Hi, and thanks for answering the post. Yes, I totally agree upon what you say about strong passwords but that is not the issue here. The password-policy (which is strong) are enforced by the Active Directory which the RADIUS-server authenticates the CAS-users against. The password-policy in this AD also defines that the users must change their password at least after 90 days. But when a CAS-users password has expired in the AD the Clean-Access agent does not give the user any possibility to change his password or even a warning telling the user that the password has expired and has to be changed. That is the issue here.

No, not AD SSO. Most of the computers are not member of the AD at all. The CAM uses RADIUS and mschap v2 against the IAS-server running on the domain-controller. The Clean-Access users created in AD are divided into two groups and then we use IAS-policy based on which AD-group the user belongs to decide if the user is a guest or a long-term user with extended rights on the network. Then we use mapping on the CAM to put the user into correct vlan on the switch. Later we plan for making images with computers also member of the same AD.


This Discussion