Reset Expired Password Over Wireless

  • 0
  • 3
  • Question
  • Updated 3 years ago
  • Answered
We are using the NAC as our Radius server.  When a user lets their password expire, they are not able to change it over the wireless connection.  They have to go to a wired connection and then they are able to change it.

Are others seeing this issue?  How are you getting around this issue?

Thank you.
Photo of Rashan Jones

Rashan Jones

  • 162 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 3
Photo of Bharathiraja, Suresh

Bharathiraja, Suresh, Employee

  • 3,526 Points 3k badge 2x thumb
Hi Rashan,

What happens when user change the password over wlan ? what is the error message ?
Do we have any logs in controller reports ?

Please check and let us know.

Thanks,
Suresh.B
Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
A user will not be able to change their password on a 802.1X wireless connection because the password is expired and cannot establish the correct encryption/decryption keys. There is no way to establish a wireless session with 802.1X.


So unfortunately your only way to solve this is to do this where the user can gain access to the network. This can be a separate SSID for maintenence/repairs, or wired link, or you can set up some external system so they can reset their password via phone, but you will be unable to do this over a single SSID protected by 802.1X.

You may want to send out a reminder email before their password expires and remind them that they need to change it before they cannot connect via wireless again.
(Edited)
Photo of Rashan Jones

Rashan Jones

  • 162 Points 100 badge 2x thumb
Matthew,

Thank you for your response.  
So if I add a second SSID without authentication that uses just a passphrase, that should work?
Right now I only push out the 1 SSID via Group Policy. 
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,502 Points 20k badge 2x thumb
Since you have flexibility with the solution, you can advertise it in the area around the users that need to change it then turn it off. This is until you can send out email reminders that they password is going to expire (before the expiration date)
Photo of Matthew Hum

Matthew Hum, Principal Engineer, APAC

  • 1,542 Points 1k badge 2x thumb
My suggestion is to only allow that second SSID to have access to a DC (not your primary) and required services, as well as other remediation access (installing AV, pushing patches,etc). This helps provide a secure environment.
Photo of Rashan Jones

Rashan Jones

  • 162 Points 100 badge 2x thumb
Thank you both for all of your help and suggestions.  I really appreciate it!
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,502 Points 20k badge 2x thumb
No problem, glad to help.