Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

ruj
New Member

NAC - Users not able to change their passwords via RADIUS and MSCHAPv2

My customer has an evironment with inline CAS for wireless-users and out-of-band CAS for wired users. The Wireless-controllers and Clean-access users authenticate with RADIUS and MSCHAPv2 to a Microsoft IAS 2003-server. When the users passwords expires there is no problem changing the password for the wireless-users, but the out-of-band users who only uses the Clean-Access agent the login fails with message: Wrong username or password. Does anyone know if it is possible to give the users the password-change dialog in the clean-access agent? Or is this a "mission impossible"?? Clean Access version is 4.1.3.

4 REPLIES
Silver

Re: NAC - Users not able to change their passwords via RADIUS an

It is important to provide secure passwords for the user accounts in Cisco NAC Appliance system, and to change them from time to time to maintain system security. The suite does not generally impose standards for the passwords you choose, but it is advised that you use strong passwords, that is, passwords with at least six characters, mixed letters and numbers, and so on. Strong passwords reduce the likelihood of a successful password guessing attack against your system.

This link may help:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/416/CAM/m_admin.html#wp1046192

ruj
New Member

Re: NAC - Users not able to change their passwords via RADIUS an

Hi, and thanks for answering the post. Yes, I totally agree upon what you say about strong passwords but that is not the issue here. The password-policy (which is strong) are enforced by the Active Directory which the RADIUS-server authenticates the CAS-users against. The password-policy in this AD also defines that the users must change their password at least after 90 days. But when a CAS-users password has expired in the AD the Clean-Access agent does not give the user any possibility to change his password or even a warning telling the user that the password has expired and has to be changed. That is the issue here.

New Member

Re: NAC - Users not able to change their passwords via RADIUS an

what they use for Wired Auth do they USE AD SSO?

ruj
New Member

Re: NAC - Users not able to change their passwords via RADIUS an

No, not AD SSO. Most of the computers are not member of the AD at all. The CAM uses RADIUS and mschap v2 against the IAS-server running on the domain-controller. The Clean-Access users created in AD are divided into two groups and then we use IAS-policy based on which AD-group the user belongs to decide if the user is a guest or a long-term user with extended rights on the network. Then we use mapping on the CAM to put the user into correct vlan on the switch. Later we plan for making images with computers also member of the same AD.

230
Views
1
Helpful
4
Replies
CreatePlease to create content