Extreme Networks

Robert_Zdzieblo · ‎09-18-2019

Hello,

We have wired network with 802.1x authentication using NAC/XMC ver.8.3.
NAC is using LDAP to check users/hosts againts AD.

If admin sets new password for users and force the user to change password on next logon, then we have Radius Reject with following State Decsciption:

The authentication request was rejected due to NTLM authentication error: : The user account has expired. (0xc0000193)

Moreover, user is not able to change his own password even after he was succesfully getting access to the network via 802.1x.

Is there any way to overcome this issue, so users are able to login or change the password during logon process ?

This is new NAC installation we are currently deploying, and IT staff says they will only accept solution with password changing task done the way it was used before (so that user was able to change the password after getting access to network).

Any suggestions ?

REGARDS
Robert

Robert_Zdzieblo · ‎09-19-2019

Thanks Brian,

We'll check the client setting for entering credentials manually.

BTW: Could the SSO option for connecting to network after logon be useful in this case ? Isn't the SSO for wireless only ?

REGARDS
Robert,

Ronald_Dvorak · ‎09-19-2019

I don't see how the NAC has anything to do with that, if the client is authenticated the NAC isn't involved in the data that is rx/tx from and to the client.

-Ron

Brian_Anderson1 · ‎09-18-2019

What version of NAC are you running? If 7.x +, the user should be prompted for a password change:
https://gtacknowledge.extremenetworks.com/articles/Solution/Using-802-1x-authentication-with-NAC-exp...

Extreme Networks

User unable to login via 802.1x when user account locked.

User unable to login via 802.1x when user account locked.