https://community.cisco.com/t5/network-access-control/quot-enable-password-change-quot-ms-chapv2-option-and-expired-ad/m-p/3456700#M537641 <HTML><HEAD></HEAD><BODY><P>Hi Jason,</P><P></P><P>Thanks for the reply!</P><P></P><P>Yeah, you are right, users will get prompter to change their passwords only when password has already expired. It will pop up as native windows logon client, nothing to do with ISE. Opening up the pre-auth ACL to allow them to reset their AD passwords was my first thought, but customer is reluctant to do this, since they do not want to expose their AD to unauthenticated users. I know there is an option of Read Only Domain Controller (RODC) for those who do not want to expose their AD, but customer is not eager to go this way.</P><P></P><P>So I am trying to clarify what this MSHAP Enable Password Change option gives us when AD password <STRONG>already expired</STRONG>. Will user be able to get this Windows logon client pop up and change his password?</P><P></P><P><SPAN>&lt;</SPAN><A class="jive-link-external-small" href="http://www.cisco.com/neverbetter" rel="nofollow" target="_blank">http://www.cisco.com/neverbetter</A><SPAN>&gt;</SPAN></P><P></P><P></P><P></P><P>Vadim Linev</P><P>ARCHITECT.SOLUTIONS</P><P>Cisco Services</P><P></P><P></P><P></P><P></P><P>CCIE Security - 37396</P></BODY></HTML> Thu, 08 Sep 2016 03:39:08 GMT valinev 2016-09-08T03:39:08Z https://community.cisco.com/t5/network-access-control/quot-enable-password-change-quot-ms-chapv2-option-and-expired-ad/m-p/3456698#M537631 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 12pt;">Hi everyone!</SPAN></P><P><SPAN style="font-size: 12pt;"><BR /></SPAN></P><P><SPAN style="font-size: 12pt;">Can someone please clarify what exactly to expect when AD user password has expired? </SPAN></P><P><SPAN style="font-size: 12pt;"><BR /></SPAN></P><P><SPAN style="font-size: 12pt;">Without any dot1x in place, on the next login user will be notified about the expired password and will be prompted by the login window itself to set the new password. Now we introduce dot1x, PEAP MS-CHAPv2, and tick 'Allowed protocols \ PEAP MS-CHAPv2 \ Enable Password Change' option on ISE. I know that this option allows changing AD password while current one is still valid, but what will happen when password is expired?</SPAN></P><P><SPAN style="font-size: 12pt;"><BR /></SPAN></P><P><SPAN style="font-size: 12pt;">On a side note, what are the usual/recommended way of handling users with expired passwords? Opening up pre-auth ACL (permit Kerberos to AD DCs) so password change can happen even without successful auth? </SPAN></P><P><SPAN style="font-size: 12pt;"><BR /></SPAN></P><P><SPAN style="font-size: 12pt;">Thanks! <BR /></SPAN></P></BODY></HTML> Tue, 06 Sep 2016 23:29:33 GMT https://community.cisco.com/t5/network-access-control/quot-enable-password-change-quot-ms-chapv2-option-and-expired-ad/m-p/3456698#M537631 valinev 2016-09-06T23:29:33Z https://community.cisco.com/t5/network-access-control/quot-enable-password-change-quot-ms-chapv2-option-and-expired-ad/m-p/3456699#M537635 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #000000; font-family: -webkit-standard; font-size: medium;">Usually the password policies are set such as when to allow a user to change a password and when to expire the password. I do not believe the users got prompted to change passwords unless already expired. When not-yet-expired, they would update the passwords by other means. (Password change page facility external to ISE, you can use the ISE my devices or sponsor portals to do this by customizing it with some messaging</SPAN><SPAN style="color: #000000; font-family: -webkit-standard; font-size: medium;">)</SPAN></P><P><SPAN style="color: #000000; font-family: -webkit-standard; font-size: medium;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: -webkit-standard; font-size: medium;">Right you would need to open up the ACL that is used before user logs into the machine so they can talk to AD to do the password change. This would be at machine authentication state</SPAN></P><P><SPAN style="color: #000000; font-family: -webkit-standard; font-size: medium;"><BR /></SPAN></P><P><SPAN style="color: #000000; font-family: -webkit-standard; font-size: medium;">page 9 of this doc may help you out<BR /></SPAN></P><P><SPAN style="color: #000000; font-family: -webkit-standard; font-size: medium;"><A href="https://community.cisco.com/docs/DOC-68152">How To: Deploy ISE in Low Impact Mode</A></SPAN></P></BODY></HTML> Wed, 07 Sep 2016 14:39:28 GMT https://community.cisco.com/t5/network-access-control/quot-enable-password-change-quot-ms-chapv2-option-and-expired-ad/m-p/3456699#M537635 Jason Kunst 2016-09-07T14:39:28Z https://community.cisco.com/t5/network-access-control/quot-enable-password-change-quot-ms-chapv2-option-and-expired-ad/m-p/3456700#M537641 <HTML><HEAD></HEAD><BODY><P>Hi Jason,</P><P></P><P>Thanks for the reply!</P><P></P><P>Yeah, you are right, users will get prompter to change their passwords only when password has already expired. It will pop up as native windows logon client, nothing to do with ISE. Opening up the pre-auth ACL to allow them to reset their AD passwords was my first thought, but customer is reluctant to do this, since they do not want to expose their AD to unauthenticated users. I know there is an option of Read Only Domain Controller (RODC) for those who do not want to expose their AD, but customer is not eager to go this way.</P><P></P><P>So I am trying to clarify what this MSHAP Enable Password Change option gives us when AD password <STRONG>already expired</STRONG>. Will user be able to get this Windows logon client pop up and change his password?</P><P></P><P><SPAN>&lt;</SPAN><A class="jive-link-external-small" href="http://www.cisco.com/neverbetter" rel="nofollow" target="_blank">http://www.cisco.com/neverbetter</A><SPAN>&gt;</SPAN></P><P></P><P></P><P></P><P>Vadim Linev</P><P>ARCHITECT.SOLUTIONS</P><P>Cisco Services</P><P></P><P></P><P></P><P></P><P>CCIE Security - 37396</P></BODY></HTML> Thu, 08 Sep 2016 03:39:08 GMT https://community.cisco.com/t5/network-access-control/quot-enable-password-change-quot-ms-chapv2-option-and-expired-ad/m-p/3456700#M537641 valinev 2016-09-08T03:39:08Z https://community.cisco.com/t5/network-access-control/quot-enable-password-change-quot-ms-chapv2-option-and-expired-ad/m-p/3456701#M537645 <HTML><HEAD></HEAD><BODY><P>Correct password change will happen. If customer doesn't want to expose AD then they will need to make sure they don't allow expiration. Would recommend they deploy a method to handle password change before this would happen and notify the user well ahead of time</P></BODY></HTML> Thu, 08 Sep 2016 14:43:46 GMT https://community.cisco.com/t5/network-access-control/quot-enable-password-change-quot-ms-chapv2-option-and-expired-ad/m-p/3456701#M537645 Jason Kunst 2016-09-08T14:43:46Z