WLAN EAP password change doesn't popup with Android and iOS

stephan.ochs · ‎01-30-2025

We have to activate password aging on our SSIDs with Username/Password authentication.
With Windows and MacOS, everything is fine. When the password has to be changed (aged or user marked with "change password on next login"), the user is asked for a new one, when connecting to the regarding SSID.
But with Android and iOS the user isn't asked for a new one. The device tries to connect, fails and retries after certain time. Android and iOS seem to ignore the Radius Server's "change password".
When searching some advice I found several community discussions (some very old) here, regarding this topic, but no solution.

Involved in the tests:
Windows 11 and MacOS 15.4 (working), Android 15 and iOS 17.4.1 (not working)
Cisco CT5520 8.10.196.0, Cisco ISE 3.2
WLAN authentication is PEAP with inner Method EAP-MS-CHAPv2

Scott Fella · ‎01-30-2025

I think that is expected on mobile devices. This is usually on the client side not that your radius isn't sending it, but the mobile devices don't recognize that. Users usually have to forget the network and try it again. IT's different if they are managed devices and you push certificates/configurations in which it doesn't use username and password, then you would not need to worry about that.

Mobile devices cache these credentials so that it can typically just connect seamlessly. Until there is a failure, then the device will prompt for credentials, but by them it's too late and the account might be locked.

-Scott
*** Please rate helpful posts ***

stephan.ochs · ‎01-30-2025

They are not managed devices, but temporary users with foreign devices. So we have to provide username/password and can't use certificates. Our security policy says, they have to change it every 90 days, but they can't with mobile devices.
Forgetting the network and try again doesn't help.
I can't understand, why the whole world is living with this issue since many years. Why don't Google and Apple implement it in their WLAN?

Scott Fella · ‎01-30-2025

I get it....mobile devices typically use generic wireless drivers or chipsets that may not have the same level of customization as desktop drivers. You almost need to setup some portal that can remind them, have you looked at maybe doing something else, maybe you can onboard the devices since they need to be on your network? Do they need to connect their mobile devices to your internal network not a guest network? I know that you want one solution for this, but until manufactures want to make their devices more enterprise friendly, you will be facing this issue for a very long time.

-Scott
*** Please rate helpful posts ***

stephan.ochs · ‎01-30-2025

In former times we had web authentication on WLC that was not very reliable, we faced other issues with clients, that didn't come up with a message to login on this splash page. So we decided to use PEAP with user/password. Also it is more comfortable for the user being able to save the WLAN login and not having to login every time they connect.
As far as I see, implementing Guest Portal on ISE would be the only remaining and possible solution. I didn't really want to do that. But if there's no other way, then I guess I have to. I'm just curious to see what other problems I'll run into. Probably the same as with web authentication on the WLC.

Thanks for your support.

Rich R · ‎01-30-2025

> Android and iOS seem to ignore the Radius Server's "change password".
Remember the client has no knowledge of radius as such. The client is "talking" layer 2 802.1x to the AP and I don't think there's any way around it. Either you deploy a certificate based solution or you find an out of band method for users to update their passwords before they expire. For example the system emails the user 1 week before their password expires saying "Click here to update your password before date X otherwise your user ID will be disabled".

As far as Google and Apple are concerned - they would just ask why you are using usernames and passwords with 802.1x.

Yes web auth is the other option. Yes devices still have problems with sometimes not popping up the captive portal.

You might also want to look at Passpoint and OpenRoaming. Onboarding the clients can sometimes be complicated though.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390