Wireless 802.1X Microsoft NPS Radius Users Cannot Log on With Expired Accounts
Takeaway: Troubleshooting AD user password changes using 802.1X authentication.
Problem:
Users with expired accounts cannot log on. Windows clients should allow users to choose a new password but are never provided the opportunity.
- Log errors indicate a user password error.
- Microsoft EAP (PEAP) is set to use EAP-MSCHAPV2. I made sure "allow user to change password" is checked.
Basic Layout:
- Multiple WLC2s at multiple geographic locations working in a cluster.
- We use 802.1X authentication that connects to Microsoft Windows Network Access Server. Policy setup that allows Radius to authenticate against Active Directory.
Is there a CLI setting I need to enable in the WLC2s?
- I set termination-action to 1 in case the default disconnect behavior was terminating the re-attempt. This didn't help.
Is it a Windows client setting? I've tried all the combinations I could think of; including disabling the single sign-on, and removing the automatic domain user name login.
Is the problem with vendor specific Radius attributes? This is my suspicion but I CANNOT find any documentation on the subject.
- What is the correct vendor code? Do I use a Juniper code or the Trapeze code?
- What are the specific configurations for the attribute?
- Do I need to remove anything from the NAS policy in order for the vendor attribute to work?
Solution:
My hypothesis was incorrect. I first changed the Juniper WLC 802.1X authentication method from "PEAP-MSCHAPV2" to "Pass-Through":
PEAP-MSCHAPV2:#set authentication
#dot1x ssid SIDDNAME ** peap-mschapv2 webview-default
Pass Through:#set authentication
#dot1x ssid SIDDNAME ** pass-through webview-default
Pass-Through should have allowed direct authentication between the Windows client and the Microsoft NAP server. I reasoned vendor specific attributes were not necessary between a Windows server and client. Expired accounts continued to fail authentication after the change to the authentication method.
My focus changed to the Windows client wireless settings. The problem specifically stemmed from the client's wireless single sign-on (SSO) settings. I plan to implement computer + user authentication at a future date but for the time only user mode is enabled.
Ironically, SSO is designed to resolve problems with user-only authentication:
- User cannot log into the domain because connection to the domain controllers are not available. Locally cached credentials are used to authenticate (sometimes incorrectly) to the Radius server.
I removed all SSO options from the Windows wireless client under "advanced" settings:
N.B., Under the EAP-MSCHAP v 2 configuration, I was able to check "Automatically use my Windows logon name and password (and domain if any)":
After I removed SSO expired accounts were able to pick a new password and complete the network connection. I still believe it is still possible to use SSO with only 802.1X user authentication -my situation didn't require further research. I also suspect the SSO would have worked, had I used both computer authentication and user authentication.
Last updated November 15th, 2013 by Steven Jordan.