Solved: EAP-FAST low impact mode

ahurtadove · ‎12-30-2016

Hi!

I'm having this delay when users change their passwords, also when they expire. It seems that when the computer is restarted the user needs to log in with the previous password and being single sign on then user fails and it has to put the new password. Sometimes NAM asks for password, sometimes it doesn't thus creating a loop and blocking the AD users.

I'm using low impact mode, only permitting AD services but as it wasn't working and using a critical vlan feature I had to put a permit any any in the preauth ACL, but the problem persists.

I can also see the the users are logging with a blank screen that tells me GPO is not being applied.

Any hints?

thank you

ahurtadove · ‎01-16-2017

Opened a TAC case.

This was finally a bug, it's still to be named but machine PAC is not being renewed and thus it fails to update password.

View solution in original post

hslai · ‎12-30-2016

As you indicated that the user needs to log in with the previous password after the computer restarted, it seems either the computer does not have proper network access to AD at the time when the Windows OS prompts the user for user credential, or the AD domain controllers not replicating the password changes fast enough. You might want to look at possible tuning the lifetime period of an old password, which supplied by Windows Server 2003 Service Pack 1 modifies NTLM network authentication behavior

ahurtadove · ‎01-06-2017

Thank you, I believe it's somewhat related to your first point as I can see that sometimes there is no machine auth when the login screen is presented to user.

Getting into AD registry could be an issue, it has suffered from many upgrades/migrations and it can be fragile at times.

ahurtadove · ‎01-16-2017

Opened a TAC case.

This was finally a bug, it's still to be named but machine PAC is not being renewed and thus it fails to update password.