Cisco Support Community
Community Member

LEAP and Active Directory

We use LEAP with transparent user settings for user authenticatication against win2000 Active Directory. When laptop users login, the Cisco ACS automatically takes their username and password back to AD for authentication. The AD policy requires users to change passwords every 60 days. The prompt to change password occurs with no issue, but on the next try to log in, the user can't authenticate against AD. The problem appears to be the Cisco ACS holding onto the old password when it creates an entry for transparent users.

Any thoughts as to how to overcome this?

Community Member

Re: LEAP and Active Directory


I am trying to do a similar thing but using EAP-TLS, we are struggling to integrate the login with Active directory. Do you have any tips ?

I have been following the " Installation Guide for Cisco Secure ACS for Windows Server version 3.2 ".

when we reset the password on domain controller the client still seems to login with the old cached password. I am not sure if we have setup the comms between ACS and domain controller correctly .

Thanks !!

Community Member

Re: LEAP and Active Directory

Back in November of '02, I had an issue with certain NT domains having the password change policy in effect and users not able to make the change using their wireless LEAP connection. What I discovered was that it could not be done through the wireless connection since LEAP was written to only support MS-CHAP v1. This change request is a v2 mechanism. Our options were to either make the change to PEAP or simply have the users change their password from their wired connection. Since we invested quite a bit in implementing LEAP only less than a year prior, it has not been feasible for us to completely change our authentication method as of yet. Not sure if this applies to your situation.

Community Member

Re: LEAP and Active Directory

We have had the same problems as mentioned above, but have resolved the issue. One further issue we have is to change your password via the wireless infrastructure on the NT/2000 domain once it has expired. There does not seem to be any prompt to enter a new password to reinstate your logon. Once again, if tried on the wired network there are no issues. Can anyone assist ?

Many thanks.

CreatePlease to create content