Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EAP-FAST w/ ACS v 3.2 has password expiry problems

We’ve deployed several mobile workstations on carts in a hospital:

Neoware (Thin Client) w/Citrix with Aironet PCI cards (both 802.11b & g)

The security is EAP-FAST

Cisco Aironet 1200 AP’s running V12.2(13) JA1

The AP is communicating to a Cisco ACS server v3.2 configured for EAP-FAST

The ACS syncs up with the NT Authentication server

Things work fine for a while, then when the password expires the user is locked out of their account.

3 REPLIES
Green

Re: EAP-FAST w/ ACS v 3.2 has password expiry problems

First, I'd suggest updating your IOS; 12.2(13) had a fair number of bugs.

It sounds like the client is going into sleep / power save mode and losing the connection to the Cirtix server. The server might be configured to only allow one session per client ... and the one that's allocated is disconnected (but still active).

Try killing the power-save mode on all of the client-side components and software.

Check the Citrix server to see if it has a session restriction ... if so, open it up (for diagnostic purposes).

Try setting the password expriration to some short value and see if having the password exire in ~5 minutes still locks the system (trying to rule out one system or the other as the problem source).

Also try staying active on the client through the time period where the password would expire to see if it's a sleep mode / power-save disconnect that's causing the problem.

But first, I'd update the IOS ...

Good Luck

Scott

New Member

Re: EAP-FAST w/ ACS v 3.2 has password expiry problems

I'm speculating here ....the password expiration alert is NOT properly pushed out to the WLAN client - I don't know why but I also see this behavior with VPN clients.

So what happens is password expires, user isn't presented with the dialog box informing them of such and enters what they think is the correct password and locks out the account.

New Member

Re: EAP-FAST w/ ACS v 3.2 has password expiry problems

I was correct. If you web into your ACS and follow this path:

EXTERNAL USER DATABASES

DATABASE CONFIGURATION

WINDOWS DATABASE

CONFIGURE

WINDOWS AUTHENTICATION CONFIGURATION

WINDOWS EAP SETTINGS

Enable password change inside PEAP or EAP-FAST.

124
Views
0
Helpful
3
Replies