Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Windows Domain Password Change In LEAP Environment

Our users are prompted to change their Windows domain password at 90 day intervals. However, since LEAP is the first logon in the process and has no mechanism to change the Windows domain password, there really is no way to gain connectivity short of using a wired connection to make the password change. Has anyone else experienced this issue? Of course the iPAQ is a whole other ball of wax. Thanks for any info.

Danny

4 REPLIES
Cisco Employee

Re: Windows Domain Password Change In LEAP Environment

You can change the windows domain password using LEAP too. For that you have to map the ACS to use the external database of Windows NT to authenticate wireless users using LEAP..So all the users can use their NT domain login for LEAP. That way you can manage NT network connectivity using just one initial windows domain login using LEAP too.

So just point ACS to use NT database to authenticate LEAP users.

Now ACS do support "password aging" feature where LEAP users authenticated against ACS database will be prompted for password change once its expired..Here is the url for that

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/g.htm#xtocid1197914

New Member

Re: Windows Domain Password Change In LEAP Environment

That is, in fact, what we currently do regarding NT domain account credentialing. No use of native accounts on our 3rd party RADIUS server. The way I see it is that LEAP and RADIUS reach out to the DC and is notified that the password is no longer valid, hence offering nothing more than an error message that the password is incorrect. What mechanism does LEAP have to allow an expired domain password to be changed at that point?

Danny

New Member

Re: Windows Domain Password Change In LEAP Environment

I have recently discovered that LEAP does not support changing expired passwords due to it's support of CHAP v1, not v2. The suggestion has been made to use PEAP instead of LEAP. It's also my understanding that LEAP is not going to be re-written to support CHAP v2. Any comments as to why this is since it's use has become fairly widespread? We just recently made the change to LEAP authentication and making another authentication change to PEAP is not a very convenient way of fixing this issue. I'm thinking that informing the users that they need to actually plug into a wired connection to change their domain password might be the easier way. But, that defeats the whole point of "wireless".

Danny

New Member

Re: Windows Domain Password Change In LEAP Environment

We just completed a two main campus and 25+ satellite site conversion to LEAP. All laptops had to be touched by a contract crew. To face the same expense again because of PEAP would not go over well with managment (or the network team for that matter). Even a dependable way to do the conversion automatically (via NT login script) or the autoinstaller (which we found incapable of updating NDIS drivers) would be acceptable. Also, we are still looking for a dependable way to change ACU profile setting without having to touch each PC (as asking most physicians to follow a procedure is a recipe for trouble). We tried a registry hack, but the profiles settings are encrypted. The autoinstaller works for profiles, but not all of the profile settings are included in the model profile syntax. Has anyone encountered/solved this issue?

115
Views
0
Helpful
4
Replies