We have a number of APs which are configured to use LEAP. These communicate with a CSACS 2.6 server which in turn is set up to query Windows 2000 Active Directory as an unknown user policy, for use with LEAP. When the domain account policy dictates that users should change their password (every 60 days), we find that users can no longer log on using the wireless connection. The fix seems to be to log on using the wired network, after which the wireless connection (and hence LEAP) does authenticate. Has this been seen anywhere else? This seems to be something to do with password synchronisation somwhere, but I'm not sure exactly where the problem lies.
We have the same problem. LEAP does not use MSCHAPv2, which is required to support password changes, expiration, etc from AD. For this reason we are testing moving to PEAP and ACS 3.2. ACS 3.2 supports MSCHAPv2...According to the TAC there are no plans for LEAP to support MSCHAPv2.
I posted this on another thread. I was also informed that LEAP will never support MS-CHAP v2.
Back in November of '02, I had an issue with certain NT domains having the password change policy in effect and users not able to make the change using their wireless LEAP connection. What I discovered was that it could not be done through the wireless connection since LEAP was written to only support MS-CHAP v1. This change request is a v2 mechanism. Our options were to either make the change to PEAP or simply have the users change their password from their wired connection. Since we invested quite a bit in implementing LEAP only less than a year prior, it has not been feasible for us to completely change our authentication method as of yet.
We are moving! Please use WLCCA Forum for updates and discussions
[toc:faq] Wireless LAN Controller (WLC) Config Analyzer Download Click
here to Download To request access, send an e-mail to
firstname.lastname@example.org. Please include your Cisco.com userna...
[toc:faq] IntroductionHere is the step by step process that we have to
take care of while converting LWAPP to IOS and then vice versa..LWAPP to
IOSThe hardware used = 1141 AP (make sure we are using the right
[toc:faq] Introduction AnyConnect Secure Mobility Client 3.0: Network
Access Manager & Profile Editor on Windows Summary Use the Cisco
AnyConnect Network Access Manager Profile Editor to build custom
profiles for the AnyConnect Secure Mobility Client. App...