Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1418
Views
5
Helpful
4
Replies

iOS based Wireless Client using WPA2-Enterprise locking Active Directory Accounts on password change / expiration

almccallum
Level 1
Level 1

‎03-12-2019 08:41 AM - edited ‎07-05-2021 10:02 AM

Hi all,

 

I am after a little guidance on what I am sure is a common deployment issue:

 

We currently have an Wireless / ISE deployment performing WPA2-Enterprise 802.1x authentication for wireless clients which are trusted corporate devices (the wireless is a Meraki solution).

Any domain computers which are MS Windows and members of the Domain Computers group, use user and device certificate based 802.1x to connect to the wireless, all of which is working fine.

All corporate iPhones also connect to the same SSID but use MAB endpoint groups to determine device validity and then WPA2-Enterprise domain user credentials for authentication via EAP-MSCHAPv2. As these phones are not in AD we use Apple Configurator profiles for device configuration management and again this is working as expected.

 

The issue comes when a domain user changes their password or their password expires in line with corporate security policy. Obviously the certificate based domain computers continue to operate, however the iPhones never prompt for the new domain credentials either when the SSID is published via profiles or manually added so would fail authentication. This historically then locked out the user account but we have now tweaked the ISE RADIUS protocol configuration to reject more than 2 authentication failures for 15 minutes to stop this. However,  what now happens is the iPhone never rejoins the SSID and is constantly failing to authenticate against the ISE using the cached credentials without prompting for new / updated ones. The only way to 'fix' it is to remove the profile / forget the SSID and rejoin which is obviously not a viable enterprise solution every time a user password changes.

 

Has anyone come across this / a similar issue on the iPhones, and is there a fix or known workarounds? 

 

Thanks all!

Labels:
0 Helpful
4 Replies 4

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎03-12-2019 08:47 AM

Hello,

 

Today i have the same situation, but it is a limitation of the iphone or other deivice like it. To solve it, i create a user to use only on this device (iphone), that has specific password policy, like dont expire password and other features that i need.

 

 

Regards,

 

Jaderson Pessoa
*** Rate All Helpful Responses ***

Haydn Andrews
VIP
VIP

‎03-12-2019 03:30 PM

unfortunately this is an Apple issue. There might be a way to configure the apple device to do this.

You could potentially enroll the apple devices and do certificate based auth to get around this.

 

Otherwise best bet would be to try the Apple forums or log a ticket to Apple to find a method to fix from the client. The phone should prompt the user to re-enter credentials when an auth reject is given.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
0 Helpful

patoberli
VIP Alumni
VIP Alumni

‎03-13-2019 06:42 AM

On Windows Radius, in the PEAP (and again in the EAP MS-CHAPv2) properties, you can enable/disable the "User can change the password after it has expired" functionality for the radius profile. I think if that is disabled, then the client doesn't get informed that the password is expired and thus never asks for the new password. Maybe the ISE also offers such a function.
0 Helpful

Jaderson Pessoa
VIP Alumni
VIP Alumni
In response to patoberli

‎03-13-2019 06:46 AM

But if password have expired, device wont be able to connect on network again.
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card