Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
522
Views
1
Helpful
4
Replies

NAC - Users not able to change their passwords via RADIUS and MSCHAPv2

ruj
Level 1
Level 1

‎08-18-2008 02:22 AM - edited ‎02-21-2020 02:58 AM

My customer has an evironment with inline CAS for wireless-users and out-of-band CAS for wired users. The Wireless-controllers and Clean-access users authenticate with RADIUS and MSCHAPv2 to a Microsoft IAS 2003-server. When the users passwords expires there is no problem changing the password for the wireless-users, but the out-of-band users who only uses the Clean-Access agent the login fails with message: Wrong username or password. Does anyone know if it is possible to give the users the password-change dialog in the clean-access agent? Or is this a "mission impossible"?? Clean Access version is 4.1.3.

0 Helpful
4 Replies 4

smahbub
Level 6
Level 6

‎08-22-2008 06:05 AM

It is important to provide secure passwords for the user accounts in Cisco NAC Appliance system, and to change them from time to time to maintain system security. The suite does not generally impose standards for the passwords you choose, but it is advised that you use strong passwords, that is, passwords with at least six characters, mixed letters and numbers, and so on. Strong passwords reduce the likelihood of a successful password guessing attack against your system.

This link may help:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAM/m_admin.html#wp1046192

ruj
Level 1
Level 1
In response to smahbub

‎08-22-2008 01:50 PM

Hi, and thanks for answering the post. Yes, I totally agree upon what you say about strong passwords but that is not the issue here. The password-policy (which is strong) are enforced by the Active Directory which the RADIUS-server authenticates the CAS-users against. The password-policy in this AD also defines that the users must change their password at least after 90 days. But when a CAS-users password has expired in the AD the Clean-Access agent does not give the user any possibility to change his password or even a warning telling the user that the password has expired and has to be changed. That is the issue here.

0 Helpful

m_zabetian
Level 1
Level 1

‎08-28-2008 10:07 AM

what they use for Wired Auth do they USE AD SSO?

0 Helpful

ruj
Level 1
Level 1
In response to m_zabetian

‎08-28-2008 11:52 PM

No, not AD SSO. Most of the computers are not member of the AD at all. The CAM uses RADIUS and mschap v2 against the IAS-server running on the domain-controller. The Clean-Access users created in AD are divided into two groups and then we use IAS-policy based on which AD-group the user belongs to decide if the user is a guest or a long-term user with extended rights on the network. Then we use mapping on the CAM to put the user into correct vlan on the switch. Later we plan for making images with computers also member of the same AD.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card