Solved: Re: self-reset password on windows with 802.1x enable

kriengsak.lomket · ‎11-19-2019

Hello there,

I would like to ask around and pool some ideas on how other planets are doing in the self-service password reset area for windows user.

Do you implement this self-service password reset function for windows users? and what method that you deployed 802.1x network authentication for Cisco ISE - AnyConnet?

Is the machine authentication are secure than the user authentication option?

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-windows

General limitations saying ...

This feature does not work for networks with 802.1x network authentication deployed and the option “Perform immediately before user logon”. For networks with 802.1x network authentication deployed it is recommended to use machine authentication to enable this feature.

Any advice and experience greeting appreciated.

Best Regards,

Kriengsak

Jason Kunst · ‎11-22-2019

Not sure really what you are going on here. If you're looking to do password reset for AD users in your domain that are using dot1x supplicant then likely you will not be able to do this. Its a limitation of the protocols and the software on the clients as well.

What most companies do is they setup a password change portal and notify the users well before the password expires.

https://www.google.com/search?sxsrf=ACYBGNQOfTondnRp_c0YiFmqVNJX27uAMQ%3A1574452709142&ei=5T3YXdmiCKek_QaysLz4BA&q=ise+password+change+dot1x&oq=ise+password+change+dot1x&gs_l=psy-ab.3..33i160.28750.29391..29645...0.2..0.232.1135.2-5......0....1..gws-...

Here are some threads on password change using google search
https://community.cisco.com/t5/identity-services-engine-ise/ise-dot1x-not-allowed-to-change-password-while-password-expired/td-p/3463385
https://community.cisco.com/t5/policy-and-access/users-can-t-change-password-since-802-1x-and-ise-implementation/td-p/2056965

View solution in original post

Jason Kunst · ‎11-22-2019

Not sure really what you are going on here. If you're looking to do password reset for AD users in your domain that are using dot1x supplicant then likely you will not be able to do this. Its a limitation of the protocols and the software on the clients as well.

What most companies do is they setup a password change portal and notify the users well before the password expires.

https://www.google.com/search?sxsrf=ACYBGNQOfTondnRp_c0YiFmqVNJX27uAMQ%3A1574452709142&ei=5T3YXdmiCKek_QaysLz4BA&q=ise+password+change+dot1x&oq=ise+password+change+dot1x&gs_l=psy-ab.3..33i160.28750.29391..29645...0.2..0.232.1135.2-5......0....1..gws-...

Here are some threads on password change using google search
https://community.cisco.com/t5/identity-services-engine-ise/ise-dot1x-not-allowed-to-change-password-while-password-expired/td-p/3463385
https://community.cisco.com/t5/policy-and-access/users-can-t-change-password-since-802-1x-and-ise-implementation/td-p/2056965

kriengsak.lomket · ‎12-06-2019

thanks for stop by for the information, we managed to resolve the issue.

TimPatrick-ADS · ‎02-25-2020

Would you be able to share what you did to solve it, we are facing the exact same issue.

v_cheriyan@qp.com.qa · ‎02-10-2022

could you please let me know how this was sorted out

Dércio Gulele · ‎07-14-2023

Hi.

How did you solve this issue, as I am facing the same problem.

Thanks,