cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3452
Views
1
Helpful
5
Replies

self-reset password on windows with 802.1x enable

Hello there, 

 

I would like to ask around and pool some ideas on how other planets are doing in the self-service password reset area for windows user.

 

Do you implement this self-service password reset function for windows users? and what method that you deployed 802.1x network authentication for Cisco ISE - AnyConnet?

 

Is the machine authentication are secure than the user authentication option?

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-windows

 

General limitations saying ...

This feature does not work for networks with 802.1x network authentication deployed and the option “Perform immediately before user logon”. For networks with 802.1x network authentication deployed it is recommended to use machine authentication to enable this feature.

Any advice and experience greeting appreciated.

 

Best Regards, 

Kriengsak

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee
Not sure really what you are going on here. If you're looking to do password reset for AD users in your domain that are using dot1x supplicant then likely you will not be able to do this. Its a limitation of the protocols and the software on the clients as well.

What most companies do is they setup a password change portal and notify the users well before the password expires.

https://www.google.com/search?sxsrf=ACYBGNQOfTondnRp_c0YiFmqVNJX27uAMQ%3A1574452709142&ei=5T3YXdmiCKek_QaysLz4BA&q=ise+password+change+dot1x&oq=ise+password+change+dot1x&gs_l=psy-ab.3..33i160.28750.29391..29645...0.2..0.232.1135.2-5......0....1..gws-...

Here are some threads on password change using google search
https://community.cisco.com/t5/identity-services-engine-ise/ise-dot1x-not-allowed-to-change-password-while-password-expired/td-p/3463385
https://community.cisco.com/t5/policy-and-access/users-can-t-change-password-since-802-1x-and-ise-implementation/td-p/2056965

View solution in original post

5 Replies 5

Jason Kunst
Cisco Employee
Cisco Employee
Not sure really what you are going on here. If you're looking to do password reset for AD users in your domain that are using dot1x supplicant then likely you will not be able to do this. Its a limitation of the protocols and the software on the clients as well.

What most companies do is they setup a password change portal and notify the users well before the password expires.

https://www.google.com/search?sxsrf=ACYBGNQOfTondnRp_c0YiFmqVNJX27uAMQ%3A1574452709142&ei=5T3YXdmiCKek_QaysLz4BA&q=ise+password+change+dot1x&oq=ise+password+change+dot1x&gs_l=psy-ab.3..33i160.28750.29391..29645...0.2..0.232.1135.2-5......0....1..gws-...

Here are some threads on password change using google search
https://community.cisco.com/t5/identity-services-engine-ise/ise-dot1x-not-allowed-to-change-password-while-password-expired/td-p/3463385
https://community.cisco.com/t5/policy-and-access/users-can-t-change-password-since-802-1x-and-ise-implementation/td-p/2056965

thanks for stop by for the information, we managed to resolve the issue.

Would you be able to share what you did to solve it, we are facing the exact same issue.

could you please let me know how this was sorted out

Hi. 

How did you solve this issue, as I am facing the same problem.

Thanks,