Solved: DOT1x Authentication failed with error user password expired

MED Amine MB · ‎08-31-2023

Hello,

I'm using ise 2.7 and started facing problems with authentication when the users are asked to change their AD password :

-The first one : user is asked to change password and if the password matches the criteria the new password is accepted, and he is authenticated, but ones he gane access to his machine he is presented with APIPA and can't perform any network related action.

-The second one : the user is either not able to change the password or is presented with a message saying he is no longer on the company Domain and is not able to change the password.

I'm currently using PEAP authentication on all my machines generated with GPO.

Did anyone ever find a solution for these problems ?

Regards,

Greg Gibbs · ‎08-31-2023

I believe this discussion is related to the same question but, without more detail on how your ISE policy and switch are configured (are you using a Low Impact Mode or Closed Mode model, etc), it's difficult to speculate about the domain/IP address issues.

https://community.cisco.com/t5/network-access-control/quot-enable-password-change-quot-ms-chapv2-option-and-expired-ad/td-p/3456698

In general, 802.1x using PEAP(MSCHAPv2) will allow the user to be prompted to change their password at login. However, the PC must have connectivity to the domain to facilitate the password change. In this scenario, the password change happens in the Computer state before the transition to the User state, so the supplicant must be configured to authenticate the Computer (either 'User or computer authentication' or 'Computer authentication') and the authorization provided in the Computer state must allow the necessary connectivity to the domain.

View solution in original post

Greg Gibbs · ‎08-31-2023

I believe this discussion is related to the same question but, without more detail on how your ISE policy and switch are configured (are you using a Low Impact Mode or Closed Mode model, etc), it's difficult to speculate about the domain/IP address issues.

https://community.cisco.com/t5/network-access-control/quot-enable-password-change-quot-ms-chapv2-option-and-expired-ad/td-p/3456698

In general, 802.1x using PEAP(MSCHAPv2) will allow the user to be prompted to change their password at login. However, the PC must have connectivity to the domain to facilitate the password change. In this scenario, the password change happens in the Computer state before the transition to the User state, so the supplicant must be configured to authenticate the Computer (either 'User or computer authentication' or 'Computer authentication') and the authorization provided in the Computer state must allow the necessary connectivity to the domain.

MED Amine MB · ‎09-03-2023

Hello ,

Thanks for your reply .

So on the supplicant i need to allow computer authentication .

Also what excatly do you mean by " the authorization provided in the Computer state must allow the necessary connectivity to the domain." ?

Do you mean i need a new policy on the ISE to allow my computers with MAB and allow them to reach AD ?

And will the computer get IP from DHCP server or APIPA ?

Thanks again .

Regards ,

Greg Gibbs · ‎09-03-2023

I describe the order of operations for 802.1x Computer and User authentication in this document.
https://community.cisco.com/t5/security-knowledge-base/cisco-ise-with-microsoft-active-directory-azure-ad-and-intune/ta-p/4763635#toc-hId-296059835

You will need an authorization policy in ISE that will permit connectivity to the necessary systems like DHCP, DNS, and Active Directory when Windows is in the Computer state.