For this setup, there are 2 SSIDs (Guest and internal) being deployed to 7 sites in the US. I have a setup where the Internal SSID is using EMM/Meraki SM Sentry enrollment and enforcing on iOS and Android devices (we use a separate product for OS X and Windows), authentication is through an on site Windows Radius server and Active Directory accounts. All is well for new users or people when they first join the wifi. The AD password policy is fairly aggressive where passwords are changed every 90 days. Users are of course prompted to change their password on their Windows PC (Email or etc.) but they are not prompted on their mobile device to change the password and, if left unchanged, will lock their AD account and disrupt their PC, Email, etc. temporarily (15 minute reset) continually until the device is updated. So I'm trying to find a solution to either automate updating the saved credentials on the mobile device, implement some kind of notification system so the users get a notification that they need to change it, or force the device off the wifi so that they will need to re-enter the wifi settings and not lock their account out. Right now I have an Windows Event log forward that lets me know what account is being locked out, but won't provide the device name (if it's empty, we assume it's an iOS, Android, or Blackberry device) but some users have one or multiple iPads, iPhones, or personal Android devices so narrowing down the device can be difficult at time.
I have deployed a lot of WPA2-Enterprise configurations - and I've never had an issue with mobile devices causing an AD account to become locked after a user has changed their password. What should happen is that NPS blocks the failed login attempts before the AD lock out policy kicks in.
I had the default RADIUS at 2 retries, I did increase the domain lockout to 8 (from 5) so far today their haven't been any more lockouts, on the wireless side anyway. I'll see how this week goes but thanks for the help!
I do see a number of clients with connection issues in Wireless Health, so I will dig into that more, however a bit of the problem is a lot of mobile devices have their names set to default (EMM was introduced after a number of devices had already been deployed) and I do see a number of MAC addresses listed, so that may be a bit harder to track down.
I take devices with a high rate of authentication failures and look at them in Client view to grab the recent username. We're an AD shop so a quick NET USER /DOMAIN username will show the last password change. Lots and lots of times its very recent and correlates with 7/30 day Client Usage.