Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
0
Helpful
4
Replies

Windows Domain Password Change In LEAP Environment

medic
Level 1
Level 1

‎11-08-2002 06:59 AM - edited ‎07-04-2021 11:30 PM

Our users are prompted to change their Windows domain password at 90 day intervals. However, since LEAP is the first logon in the process and has no mechanism to change the Windows domain password, there really is no way to gain connectivity short of using a wired connection to make the password change. Has anyone else experienced this issue? Of course the iPAQ is a whole other ball of wax. Thanks for any info.

Danny

Labels:
0 Helpful
4 Replies 4

tepatel
Cisco Employee
Cisco Employee

‎11-08-2002 11:13 AM

You can change the windows domain password using LEAP too. For that you have to map the ACS to use the external database of Windows NT to authenticate wireless users using LEAP..So all the users can use their NT domain login for LEAP. That way you can manage NT network connectivity using just one initial windows domain login using LEAP too.

So just point ACS to use NT database to authenticate LEAP users.

Now ACS do support "password aging" feature where LEAP users authenticated against ACS database will be prompted for password change once its expired..Here is the url for that

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt30/user/g.htm#xtocid1197914

0 Helpful

medic
Level 1
Level 1
In response to tepatel

‎11-08-2002 11:40 AM

That is, in fact, what we currently do regarding NT domain account credentialing. No use of native accounts on our 3rd party RADIUS server. The way I see it is that LEAP and RADIUS reach out to the DC and is notified that the password is no longer valid, hence offering nothing more than an error message that the password is incorrect. What mechanism does LEAP have to allow an expired domain password to be changed at that point?

Danny

0 Helpful

medic
Level 1
Level 1

‎11-13-2002 11:22 AM

I have recently discovered that LEAP does not support changing expired passwords due to it's support of CHAP v1, not v2. The suggestion has been made to use PEAP instead of LEAP. It's also my understanding that LEAP is not going to be re-written to support CHAP v2. Any comments as to why this is since it's use has become fairly widespread? We just recently made the change to LEAP authentication and making another authentication change to PEAP is not a very convenient way of fixing this issue. I'm thinking that informing the users that they need to actually plug into a wired connection to change their domain password might be the easier way. But, that defeats the whole point of "wireless".

Danny

0 Helpful

jwmiller
Level 1
Level 1
In response to medic

‎11-13-2002 12:42 PM

We just completed a two main campus and 25+ satellite site conversion to LEAP. All laptops had to be touched by a contract crew. To face the same expense again because of PEAP would not go over well with managment (or the network team for that matter). Even a dependable way to do the conversion automatically (via NT login script) or the autoinstaller (which we found incapable of updating NDIS drivers) would be acceptable. Also, we are still looking for a dependable way to change ACU profile setting without having to touch each PC (as asking most physicians to follow a procedure is a recipe for trouble). We tried a registry hack, but the profiles settings are encrypted. The autoinstaller works for profiles, but not all of the profile settings are included in the model profile syntax. Has anyone encountered/solved this issue?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card