Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.


LEAP and W2k AD Password Changes

We have a number of APs which are configured to use LEAP. These communicate with a CSACS 2.6 server which in turn is set up to query Windows 2000 Active Directory as an unknown user policy, for use with LEAP. When the domain account policy dictates that users should change their password (every 60 days), we find that users can no longer log on using the wireless connection. The fix seems to be to log on using the wired network, after which the wireless connection (and hence LEAP) does authenticate. Has this been seen anywhere else? This seems to be something to do with password synchronisation somwhere, but I'm not sure exactly where the problem lies.

  • Security and Network Management
New Member

Re: LEAP and W2k AD Password Changes

We have the same problem. LEAP does not use MSCHAPv2, which is required to support password changes, expiration, etc from AD. For this reason we are testing moving to PEAP and ACS 3.2. ACS 3.2 supports MSCHAPv2...According to the TAC there are no plans for LEAP to support MSCHAPv2.

New Member

Re: LEAP and W2k AD Password Changes

I posted this on another thread. I was also informed that LEAP will never support MS-CHAP v2.

Back in November of '02, I had an issue with certain NT domains having the password change policy in effect and users not able to make the change using their wireless LEAP connection. What I discovered was that it could not be done through the wireless connection since LEAP was written to only support MS-CHAP v1. This change request is a v2 mechanism. Our options were to either make the change to PEAP or simply have the users change their password from their wired connection. Since we invested quite a bit in implementing LEAP only less than a year prior, it has not been feasible for us to completely change our authentication method as of yet.

This widget could not be displayed.