11-26-2010 04:57 AM - edited 07-03-2021 07:28 PM
In a WLC 5508 that is configure to authenticate users against Cisco ACS (configure to use Windows Data Base -> Active Directory) we would like to know if there is a way to change the password via a wireless client when the password expires or when it is a new user and has been set to change the password in the first login.
Thanks in advance.
Solved! Go to Solution.
11-27-2010 11:17 PM
Hi,
In ACS 4.2 you only need to allow MSCHAPv2 password change:
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
11-26-2010 05:15 AM
Hi,
Sure you can do this if you use MSCHAPv2 allowing password change.
MSCHAPv2 is the inner method by default in PEAP (PEAP-MSCHAPv2).
I am not sure what ACS version you are using, but here is a config example for "PEAP under Unified Wireless Networks with ACS 4.0 and Windows 2003":
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00807917aa.shtml.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
11-26-2010 08:08 AM
Tiago,
Thanks for your reply. I read the article but I don´t find where I have to set or enable the posibility to change the password for a wireless client.
We are using PEAP-MSChapV2 and ACS 4.2.
We also use Web-auth, do you konw if it is possible to configure something similar for this auth type?
Thanks.
11-27-2010 11:17 PM
Hi,
In ACS 4.2 you only need to allow MSCHAPv2 password change:
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
12-07-2010 04:42 AM
Tiago,
We have configure and test it, but doesn´t work. In the ACS (v4.2) logs we see the error "PEAP-FAST password change error". We don´t undrestand why this is showing up since we are using PEAP-MSChapV2 and PEAP-FAST is disabled.
What you suggest we could check?
Thanks.
12-08-2010 12:45 AM
Hi,
What is the client suplicant software?
Can you describe the user experience when login in...what popous he gets, what he inserts,...
BR,
Tiago
12-08-2010 06:21 AM
Tiago,
The client supplicant that we are using is the windows native supplicant.
When the user connects to the wireless network and enter the credentials, a pop-up appears that ask the client to change the password. The client enters the old password and twice the new password. Then the authentication fails (the logs in the ASC show that the authentication fails because "PEAP-FAST is not allowed").
Thanks again.
12-11-2010 08:48 PM
I dont know that you can. Becuase the client is not authenitciated to the network to get on to even change an expired password.UNLESS you have a machine account whereby the MACHINE gets access to the network (via wireless) and the client can then change his password.
12-15-2010 11:34 AM
Thanks for the replies.
Searching on the ACS user guide more deeply I found that it can be done, tested it, and it works.
What you have to do, in addition to what Tiago said, is set on External User Database -> Windows Database -> Configure -> Windows EAP settings -> Enable password change inside PEAP o PEAP-Fast.
12-19-2010 03:04 AM
Windows 7 has a "single sign on" option. I regularly log onto a machine and create a profile and change passwords over the air using this feature. It works very well.
12-20-2010 07:25 AM
So my question is "how does the wireless client" get authenticated to the network PRIOR to changing
the password. You would have to have something...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide