In a WLC 5508 that is configure to authenticate users against Cisco ACS (configure to use Windows Data Base -> Active Directory) we would like to know if there is a way to change the password via a wireless client when the password expires or when it is a new user and has been set to change the password in the first login.
Thanks in advance.
Solved! Go to Solution.
Sure you can do this if you use MSCHAPv2 allowing password change.
MSCHAPv2 is the inner method by default in PEAP (PEAP-MSCHAPv2).
I am not sure what ACS version you are using, but here is a config example for "PEAP under Unified Wireless Networks with ACS 4.0 and Windows 2003":
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Thanks for your reply. I read the article but I don´t find where I have to set or enable the posibility to change the password for a wireless client.
We are using PEAP-MSChapV2 and ACS 4.2.
We also use Web-auth, do you konw if it is possible to configure something similar for this auth type?
We have configure and test it, but doesn´t work. In the ACS (v4.2) logs we see the error "PEAP-FAST password change error". We don´t undrestand why this is showing up since we are using PEAP-MSChapV2 and PEAP-FAST is disabled.
What you suggest we could check?
What is the client suplicant software?
Can you describe the user experience when login in...what popous he gets, what he inserts,...
The client supplicant that we are using is the windows native supplicant.
When the user connects to the wireless network and enter the credentials, a pop-up appears that ask the client to change the password. The client enters the old password and twice the new password. Then the authentication fails (the logs in the ASC show that the authentication fails because "PEAP-FAST is not allowed").
I dont know that you can. Becuase the client is not authenitciated to the network to get on to even change an expired password.UNLESS you have a machine account whereby the MACHINE gets access to the network (via wireless) and the client can then change his password.
Thanks for the replies.
Searching on the ACS user guide more deeply I found that it can be done, tested it, and it works.
What you have to do, in addition to what Tiago said, is set on External User Database -> Windows Database -> Configure -> Windows EAP settings -> Enable password change inside PEAP o PEAP-Fast.
Windows 7 has a "single sign on" option. I regularly log onto a machine and create a profile and change passwords over the air using this feature. It works very well.
So my question is "how does the wireless client" get authenticated to the network PRIOR to changing
the password. You would have to have something...