802.1x Wifi, password changes and mobile devices

Jason_J
New here

802.1x Wifi, password changes and mobile devices

Hello all,

     For this setup, there are 2 SSIDs (Guest and internal) being deployed to 7 sites in the US.  I have a setup where the Internal SSID is using EMM/Meraki SM Sentry enrollment and enforcing on iOS and Android devices (we use a separate product for OS X and Windows), authentication is through an on site Windows Radius server and Active Directory accounts.  All is well for new users or people when they first join the wifi.  The AD password policy is fairly aggressive where passwords are changed every 90 days.  Users are of course prompted to change their password on their Windows PC (Email or etc.) but they are not prompted on their mobile device to change the password and, if left unchanged, will lock their AD account and disrupt their PC, Email, etc. temporarily (15 minute reset) continually until the device is updated.  So I'm trying to find a solution to either automate updating the saved credentials on the mobile device, implement some kind of notification system so the users get a notification that they need to change it, or force the device off the wifi so that they will need to re-enter the wifi settings and not lock their account out.  Right now I have an Windows Event log forward that lets me know what account is being locked out, but won't provide the device name (if it's empty, we assume it's an iOS, Android, or Blackberry device) but some users have one or multiple iPads, iPhones, or personal Android devices so narrowing down the device can be difficult at time.

 

Thanks for your help!


Jason J.

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal

I have deployed a lot of WPA2-Enterprise configurations - and I've never had an issue with mobile devices causing an AD account to become locked after a user has changed their password.  What should happen is that NPS blocks the failed login attempts before the AD lock out policy kicks in.

 

I found this article about the issue.

https://support.microsoft.com/en-nz/help/2824560/the-nps-server-locks-a-user-account-after-four-trie...

Philip,

     I had the default RADIUS at 2 retries, I did increase the domain lockout to 8 (from 5) so far today their haven't been any more lockouts, on the wireless side anyway.  I'll see how this week goes but thanks for the help!

Hi Jason,

 

Where did you change that? In radius server? Is there any option to change it through Meraki portal as well? Please help me i am also experiencing same issue.

 

BR

Tan

randhall
Getting noticed

Not super helpful, but devices like this should naturally float to the top the "Connection issues by client" list in Wireless Health.

 

I regularly check this and proactively notify users--suggesting that they change the password on their device. They generally appreciate it.

Randhall,

     I do see a number of clients with connection issues in Wireless Health, so I will dig into that more, however a bit of the problem is a lot of mobile devices have their names set to default (EMM was introduced after a number of devices had already been deployed) and I do see a number of MAC addresses listed, so that may be a bit harder to track down.

 

Thank You,

Jason

More detail:

 

I take devices with a high rate of authentication failures and look at them in Client view to grab the recent username. We're an AD shop so a quick NET USER /DOMAIN username will show the last password change. Lots and lots of times its very recent and correlates with 7/30 day Client Usage.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels