EAP-FAST AD password renewal

parl_ip · ‎06-20-2005

I am having problems with Windows AD - expired password to sucessfully change when doing EAP-FAST authentication and TKIP data encryption.

Configuration is: Windows XP & 350 card & ACU 6.5.01 on the client. 1200 AP - 12.3(4)JA &

Cisco ACS v3.3 authenticating to Active Directory.

Authentication works fine, but when password expires - get the change password screen, but after entering the old & new password - get following message:"The old password does not match the passsword previoulsy entered." Have attempted this several times without success.

I have double check the configurations on all devices. All all seems OK. As I ahve stated authentication works fine until a password change is required.

Any Ideas or am I missing something??

ebreniz · ‎06-27-2005

Database Configuration>Windows Database>Configure:

Make sure the correct Domain is added and highlighted select enable password changes using MS-CHAP version 2

Under Windows EAP settings select enable password changes inside PEAP or EAP-Fast.

When doing password changes within EAP-Fast the user must make the password change within 20 seconds otherwise the password change will timeout and fail.Set the value on the ACS server to 120 (max setting) and we now have a 120 second interval to enter the password change.

parl_ip · ‎07-07-2005

Sorry about the delay and replying - I have been on leave.

Double checked the ACS configs & they are set as you suggested. Changed the ACS time-out to 120 secs. This did not resolve the problem. I am getting our W2K techs to check the domain config incase this is an issue. Have you been able to get password renewal to work with EAP-FAST in a W2K invironment?

Again thanks for your help...

Stephen