cancel
Showing results for 
Search instead for 
Did you mean: 

Domain user accounts getting locked out

Domain user accounts getting locked out

robert_davies
New Contributor

Our BYOD SSID authenticates users using 802.1X against a RADIUS server. We often have issues where a users domain account gets locked out. This is happening because the user has changed their domain password, but a BYOD device they have used is still attempting to authenticate angainst the RADIUS server, failing and locking the users account. Has anybody else come across this scenario before? and what was done to prevent this happening? I know an easy solution is just to make sure users have "forgotten network" on devices they use. But this isnt always as straight forward as we would like it to be 🙂

3 REPLIES 3

samantha_lynn
Esteemed Contributor III

It depends a bit on the end users. If this is a guest account with temporary users, I would recommend PSK with a Guest-Internet-Access-Only IP firewall set up on the AP. If these are known users who just happen to bring their own device or devices, I would suggest a PPSK SSID, so all users have their own username and password, and you can either allow them to use this on an unlimited number of devices or on a restricted number of devices.

 

Radius is best suited to known clients with static, known devices. Additionally, the management overhead for constantly adjusting for new passwords as you are currently running in to. Also there is the problem with certificates. Where you are using the default certificates or third party certificates, unless you manually install the certificate in use on each new device, they will get warning messages about navigating to untrusted sources, which will slow them down and may alarm some users. Radius is a stateless authentication process, meaning that after the initial login, it does not keep track of users permissions to be on the network. Typically for guest networks admins prefer SSID types that keep track of client state, such as PPSK.

robert_davies
New Contributor

Hi Sam thanks for getting back to me. What setup would you suggest for BYOD? Also what other reasons do you have for not using 802.1X for BYOD?

 

Thanks

samantha_lynn
Esteemed Contributor III

Unfortunately we wouldn't have any way to force client devices to forget old passwords. This is one of several reasons we typically don't recommend using 802.1X for BYOD deployments.

GTM-P2G8KFN