Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Password change via wireless client.

In a WLC 5508 that is configure to authenticate users against Cisco ACS (configure to use Windows Data Base -> Active Directory) we would like to know if there is a way to change the password via a wireless client when the password expires or when it is a new user and has been set to change the password in the first login.

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Password change via wireless client.

Hi,

In ACS 4.2 you only need to allow MSCHAPv2 password change:

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

10 REPLIES
Cisco Employee

Re: Password change via wireless client.

Hi,

Sure you can do this if you use MSCHAPv2 allowing password change.

MSCHAPv2 is the inner method by default in PEAP (PEAP-MSCHAPv2).

I am not sure what ACS version you are using, but here is a config example for "PEAP under Unified Wireless Networks with ACS 4.0 and Windows 2003":

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml.

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

New Member

Re: Password change via wireless client.

Tiago,

Thanks for your reply. I read the article but I don´t find where I have to set or enable the posibility to change the password for a wireless client.

We are using PEAP-MSChapV2 and ACS 4.2.

We also use Web-auth, do you konw if it is possible to configure something similar for this auth type?

Thanks.

Cisco Employee

Re: Password change via wireless client.

Hi,

In ACS 4.2 you only need to allow MSCHAPv2 password change:

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

New Member

Re: Password change via wireless client.

Tiago,

We have configure and test it, but doesn´t work. In the ACS (v4.2) logs we see the error "PEAP-FAST password change error". We don´t undrestand why this is showing up since we are using PEAP-MSChapV2 and PEAP-FAST is disabled.

What you suggest we could check?

Thanks.

Cisco Employee

Re: Password change via wireless client.

Hi,

What is the client suplicant software?

Can you describe the user experience when login in...what popous he gets, what he inserts,...

BR,
Tiago

New Member

Re: Password change via wireless client.

Tiago,

The client supplicant that we are using is the windows native supplicant.

When the user connects to the wireless network and enter the credentials, a pop-up appears  that ask the client to change the password. The client enters the old password and twice the new password. Then the authentication fails (the logs in the ASC show that the authentication fails because "PEAP-FAST  is not allowed").

Thanks again.

Re: Password change via wireless client.

I dont know that you can. Becuase the client is not authenitciated to the network to get on to even change an expired password.UNLESS you have a machine account whereby the MACHINE gets access to the network (via wireless) and the client can then change his password.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: Password change via wireless client.

Thanks for the replies.

Searching on the ACS user guide more deeply I found that it can be done, tested it, and it works.

What you have to do, in addition to what Tiago said, is set on External User Database -> Windows Database -> Configure -> Windows EAP settings -> Enable password change inside PEAP o PEAP-Fast.

New Member

Re: Password change via wireless client.

Windows 7 has a "single sign on" option. I regularly log onto a machine and create a profile and change passwords over the air using this feature. It works very well.

Re: Password change via wireless client.

So my question is "how does the wireless client" get authenticated to the network PRIOR to changing

the password. You would have to have something...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
1017
Views
5
Helpful
10
Replies