Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1889
Views
5
Helpful
10
Replies

Password change via wireless client.

Go to solution
gsancassano
Level 1
Level 1

‎11-26-2010 04:57 AM - edited ‎07-03-2021 07:28 PM

In a WLC 5508 that is configure to authenticate users against Cisco ACS (configure to use Windows Data Base -> Active Directory) we would like to know if there is a way to change the password via a wireless client when the password expires or when it is a new user and has been set to change the password in the first login.

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee
In response to gsancassano

‎11-27-2010 11:17 PM

Hi,

In ACS 4.2 you only need to allow MSCHAPv2 password change:

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee

‎11-26-2010 05:15 AM

Hi,

Sure you can do this if you use MSCHAPv2 allowing password change.

MSCHAPv2 is the inner method by default in PEAP (PEAP-MSCHAPv2).

I am not sure what ACS version you are using, but here is a config example for "PEAP under Unified Wireless Networks with ACS 4.0 and Windows 2003":

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Go to solution
gsancassano
Level 1
Level 1
In response to Tiago Antunes

‎11-26-2010 08:08 AM

Tiago,

Thanks for your reply. I read the article but I don´t find where I have to set or enable the posibility to change the password for a wireless client.

We are using PEAP-MSChapV2 and ACS 4.2.

We also use Web-auth, do you konw if it is possible to configure something similar for this auth type?

Thanks.

0 Helpful

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee
In response to gsancassano

‎11-27-2010 11:17 PM

Hi,

In ACS 4.2 you only need to allow MSCHAPv2 password change:

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
gsancassano
Level 1
Level 1
In response to Tiago Antunes

‎12-07-2010 04:42 AM

Tiago,

We have configure and test it, but doesn´t work. In the ACS (v4.2) logs we see the error "PEAP-FAST password change error". We don´t undrestand why this is showing up since we are using PEAP-MSChapV2 and PEAP-FAST is disabled.

What you suggest we could check?

Thanks.

0 Helpful

Go to solution
Tiago Antunes
Cisco Employee
Cisco Employee
In response to gsancassano

‎12-08-2010 12:45 AM

Hi,

What is the client suplicant software?

Can you describe the user experience when login in...what popous he gets, what he inserts,...

BR,
Tiago

0 Helpful

Go to solution
gsancassano
Level 1
Level 1
In response to Tiago Antunes

‎12-08-2010 06:21 AM

Tiago,

The client supplicant that we are using is the windows native supplicant.

When the user connects to the wireless network and enter the credentials, a pop-up appears  that ask the client to change the password. The client enters the old password and twice the new password. Then the authentication fails (the logs in the ASC show that the authentication fails because "PEAP-FAST  is not allowed").

Thanks again.

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to gsancassano

‎12-11-2010 08:48 PM

I dont know that you can. Becuase the client is not authenitciated to the network to get on to even change an expired password.UNLESS you have a machine account whereby the MACHINE gets access to the network (via wireless) and the client can then change his password.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
gsancassano
Level 1
Level 1
In response to George Stefanick

‎12-15-2010 11:34 AM

Thanks for the replies.

Searching on the ACS user guide more deeply I found that it can be done, tested it, and it works.

What you have to do, in addition to what Tiago said, is set on External User Database -> Windows Database -> Configure -> Windows EAP settings -> Enable password change inside PEAP o PEAP-Fast.

0 Helpful

Go to solution
phillip.vansickle
Level 1
Level 1
In response to gsancassano

‎12-19-2010 03:04 AM

Windows 7 has a "single sign on" option. I regularly log onto a machine and create a profile and change passwords over the air using this feature. It works very well.

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to phillip.vansickle

‎12-20-2010 07:25 AM

So my question is "how does the wireless client" get authenticated to the network PRIOR to changing

the password. You would have to have something...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card