Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2105
Views
1
Helpful
4
Replies

Users can't change password with 802.1x EAP-TLS and ISE

dal
Level 3
Level 3

‎11-11-2020 02:51 AM

Hi.

We use EAP-TLS with ISE as the radius server to authenticate against Active Directory.

The supplicant is set up to use both machine and user authentication.

But we cannot get password reset to work with this setup. As soon as the users press the Reset Password link, the computer looses network connection. Of course, in this point in time, it is the computer that is authenticated, not the user.

 

I've been told to check if Allow password change is enabled under External Identity Sources -> Active Directory -> Advanced Settings. And it is.

And under Policy - Results -> Authentication -> Allowed protocols it is enabled.

But I notice one thing: Under Allow EAP-TLS, there is no check box for Allow password change... Does that mean that EAP-TLS does not support Allow password change?

Labels:
0 Helpful
4 Replies 4

Arne Bier
VIP
VIP

‎11-11-2020 03:19 AM

I don't understand how the windows password change should impact the supplicant's ability to authenticate via EAP-TLS (certificate) - there is no username password involved in EAP-TLS.

Are you saying that when the user resets their AD password via CTRL-ALT-DEL and then selects 'Change a password', then they lose connection to the network ? Wired or wireless ?

 

I have a feeling you're using EAP-PEAP ... and by changing the AD password (and not the password cached in the WLAN profile for the EAP-PEAP SSID) you cut yourself off from the network. That would happen to BYOD devices where the AD creds are used, and then as soon as the user changes their AD password on the corporate device (or via office365) then the BYOD suddenly stop working.

dal
Level 3
Level 3
In response to Arne Bier

‎11-11-2020 03:36 AM

When your computer boots up, and you press the ANY key, you get to boxes; one for username and one for password.

At this point, the COMPUTER is logged into to the network since the supplicant is set up to use both computer and user logon.

But BELOW those two boxes, there is a link saying Reset Password.

As soon as that link is pressed, the computer looses the network connection, and the password reset naturally fails.

It is the same for both wired and wireless.

And I assure you, we use EAP-TLS for authentication, not PEAP

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to dal

‎11-14-2020 05:33 PM

I tried ctrl-alt-del after the user logged-in and updated the password successfully. Also successfully to change the password when the user required to change its password in the next login. Both done with EAP-TLS user or computer.

The only reset-password link I can find seems for reset the local account password on Windows 10, See Change or reset your Windows password 

0 Helpful

Aref Alsouqi
VIP
VIP

‎11-14-2020 06:54 AM - edited ‎11-14-2020 06:54 AM

Would you mind please posting the screenshot of the password reset link you are referring to?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents