This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
We use EAP-TLS with ISE as the radius server to authenticate against Active Directory.
The supplicant is set up to use both machine and user authentication.
But we cannot get password reset to work with this setup. As soon as the users press the Reset Password link, the computer looses network connection. Of course, in this point in time, it is the computer that is authenticated, not the user.
I've been told to check if Allow password change is enabled under External Identity Sources -> Active Directory -> Advanced Settings. And it is.
And under Policy - Results -> Authentication -> Allowed protocols it is enabled.
But I notice one thing: Under Allow EAP-TLS, there is no check box for Allow password change... Does that mean that EAP-TLS does not support Allow password change?
I don't understand how the windows password change should impact the supplicant's ability to authenticate via EAP-TLS (certificate) - there is no username password involved in EAP-TLS.
Are you saying that when the user resets their AD password via CTRL-ALT-DEL and then selects 'Change a password', then they lose connection to the network ? Wired or wireless ?
I have a feeling you're using EAP-PEAP ... and by changing the AD password (and not the password cached in the WLAN profile for the EAP-PEAP SSID) you cut yourself off from the network. That would happen to BYOD devices where the AD creds are used, and then as soon as the user changes their AD password on the corporate device (or via office365) then the BYOD suddenly stop working.
When your computer boots up, and you press the ANY key, you get to boxes; one for username and one for password.
At this point, the COMPUTER is logged into to the network since the supplicant is set up to use both computer and user logon.
But BELOW those two boxes, there is a link saying Reset Password.
As soon as that link is pressed, the computer looses the network connection, and the password reset naturally fails.
It is the same for both wired and wireless.
And I assure you, we use EAP-TLS for authentication, not PEAP
I tried ctrl-alt-del after the user logged-in and updated the password successfully. Also successfully to change the password when the user required to change its password in the next login. Both done with EAP-TLS user or computer.
The only reset-password link I can find seems for reset the local account password on Windows 10, See Change or reset your Windows password