Password Expiration handling with LEAP enabled client?

mbouchar · ‎11-27-2002

Is there a way to configure the Client or ACS server to allow for the changing of an expired password?

It appears that if a LEAP enabled client attempts to autheticate to an Access Point via ACS that is configured to point to an NT active directory for user authentication that if the password is expired that the client just fails login and eventually the NT account is locked out(based on the domain password policy). I can somewhat understand this if the client never gets an IP address until he is authorized.

ndoshi · ‎12-01-2002

Hi ,

I know that ACS has option under user properties that allow changing of the password when it expires .

Also if you have latest driver and version on the client , if leap login fails , it will not send the same credential again and lockout the NT but it will pop up new window to get new username and and password .

medic · ‎12-03-2002

I was blind-sided by this one. Unfortunately, there is no way to make a change to an expired password in a LEAP environment from a client perspective. The reason is that LEAP only supports MS-CHAP v1, not v2. There is no upgrade offered or plans to fix LEAP to accomodate this. We've been advised to change to PEAP which does support MS-CHAP v2. However, it's a bit unrealistic for us to make that change due to the lack of interoperability with PEAP with regards to various things including RADIUS vendor type, OS support, etc. It's a constantly changing wireless world, so maybe a better solution will come along in the near term rather than advising users to defeat the purpose of wireless and plug in to make the password change.

Danny

iberko · ‎12-10-2002

Does Cisco going to fix it in the next release of ACS that it will support

Password expired??

Israel