Header Only - DO NOT REMOVE - Extreme Networks

Reset Expired Password Over Wireless


We are using the NAC as our Radius server. When a user lets their password expire, they are not able to change it over the wireless connection. They have to go to a wired connection and then they are able to change it.

Are others seeing this issue? How are you getting around this issue?

Thank you.

10 replies

Userlevel 4
Hi Rashan,

What happens when user change the password over wlan ? what is the error message ?
Do we have any logs in controller reports ?

Please check and let us know.

Thanks,
Suresh.B
Userlevel 3
A user will not be able to change their password on a 802.1X wireless connection because the password is expired and cannot establish the correct encryption/decryption keys. There is no way to establish a wireless session with 802.1X.

So unfortunately your only way to solve this is to do this where the user can gain access to the network. This can be a separate SSID for maintenence/repairs, or wired link, or you can set up some external system so they can reset their password via phone, but you will be unable to do this over a single SSID protected by 802.1X. You may want to send out a reminder email before their password expires and remind them that they need to change it before they cannot connect via wireless again.
Matthew,

Thank you for your response.
So if I add a second SSID without authentication that uses just a passphrase, that should work?
Right now I only push out the 1 SSID via Group Policy.
Userlevel 7
Rashan Jones wrote:

Matthew,

Thank you for your response.
So if I add a second SSID without authentication that uses just a passphrase, that should work?
Right now I only push out the 1 SSID via Group Policy.

yes, as long as they can connect and contact the DC to change the password.
Rashan Jones wrote:

Matthew,

Thank you for your response.
So if I add a second SSID without authentication that uses just a passphrase, that should work?
Right now I only push out the 1 SSID via Group Policy.

Perfect...thank you.
I will give it a shot!
Userlevel 7
Rashan Jones wrote:

Matthew,

Thank you for your response.
So if I add a second SSID without authentication that uses just a passphrase, that should work?
Right now I only push out the 1 SSID via Group Policy.

Since you have flexibility with the solution, you can advertise it in the area around the users that need to change it then turn it off. This is until you can send out email reminders that they password is going to expire (before the expiration date)
Userlevel 7
Rashan Jones wrote:

Matthew,

Thank you for your response.
So if I add a second SSID without authentication that uses just a passphrase, that should work?
Right now I only push out the 1 SSID via Group Policy.

Reference: https://gallery.technet.microsoft.com/Password-Expiry-Email-177c3e27
Userlevel 3
Rashan Jones wrote:

Matthew,

Thank you for your response.
So if I add a second SSID without authentication that uses just a passphrase, that should work?
Right now I only push out the 1 SSID via Group Policy.

My suggestion is to only allow that second SSID to have access to a DC (not your primary) and required services, as well as other remediation access (installing AV, pushing patches,etc). This helps provide a secure environment.
Rashan Jones wrote:

Matthew,

Thank you for your response.
So if I add a second SSID without authentication that uses just a passphrase, that should work?
Right now I only push out the 1 SSID via Group Policy.

Thank you both for all of your help and suggestions. I really appreciate it!
Userlevel 7
Rashan Jones wrote:

Matthew,

Thank you for your response.
So if I add a second SSID without authentication that uses just a passphrase, that should work?
Right now I only push out the 1 SSID via Group Policy.

No problem, glad to help.

Reply