Header Only - DO NOT REMOVE - Extreme Networks
Question

User unable to login via 802.1x when user account locked.

  • 18 September 2019
  • 3 replies
  • 207 views

Userlevel 2
Hello,

We have wired network with 802.1x authentication using NAC/XMC ver.8.3.
NAC is using LDAP to check users/hosts againts AD.

If admin sets new password for users and force the user to change password on next logon, then we have Radius Reject with following State Decsciption:

The authentication request was rejected due to NTLM authentication error: : The user account has expired. (0xc0000193)

Moreover, user is not able to change his own password even after he was succesfully getting access to the network via 802.1x.

Is there any way to overcome this issue, so users are able to login or change the password during logon process ?

This is new NAC installation we are currently deploying, and IT staff says they will only accept solution with password changing task done the way it was used before (so that user was able to change the password after getting access to network).

Any suggestions ?


REGARDS
Robert

3 replies

Userlevel 2
What version of NAC are you running? If 7.x +, the user should be prompted for a password change:
https://gtacknowledge.extremenetworks.com/articles/Solution/Using-802-1x-authentication-with-NAC-expired-windows-passwords-cannot-be-reset/?q=account+locked+802.1x&l=en_US&c=Extreme_Software%3ANAC_Manager&fs=Search&pn=1
Userlevel 7
Moreover, user is not able to change his own password even after he was succesfully getting access to the network via 802.1x.

I don't see how the NAC has anything to do with that, if the client is authenticated the NAC isn't involved in the data that is rx/tx from and to the client.

-Ron
Userlevel 2
Thanks Brian,

We'll check the client setting for entering credentials manually.

BTW: Could the SSO option for connecting to network after logon be useful in this case ? Isn't the SSO for wireless only ?

REGARDS
Robert,

Reply