User Accounts 90 days new password management

SOLVED
LegoGeek
Getting noticed

User Accounts 90 days new password management

Hey Everyone,

 

I'm hoping this is a "simple" solution that is eluding me. How do users change their own passwords after 90 days? OR is there a way to turn off the splash behavior 90-day setting? What we are dealing with is glorified "Guess wifi with perks access"... doesn't ever interact with production devices.

 

We've incorporated "Cloud Hosted Meraki Authentication" with Self-registration and Administrator Authentication.  The SSID has a Splash Page.  To get to the SSID they ALSO have to ADD the network SSID manually and know the Pre-shared key (WPA2 security set up).

 

The "Splash behavior" has a setting of "splash frequency = Every ninety days".  We are using the "Modern" theme.

 

Most Users are authenticated to for "never" expires.

 

Here the overall issue.  I've set these splash pages up hoping I can authenticate users for specific SSID's (just there personal devices going to the internet) and their respective time limits (internal policy decisions based on staff types and housing).  However, what vexes me now is these users, after 90 days, are not able to get past the splash page, the error message keeps telling them their password is incorrect.  The only way past it is for me to change their password from the Admin console of users.  I just know that I'll be seeing them again in 90 days.

 

Is there a way to clean this up? Simplify it? Give users the ability to change their own passwords? OR a different SSID set up altogether (still needs to restrict devices from specific SSID's... ie. administrative control)

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

The new "Trusted Access" feature that is coming does not require the device to be managed.  It is exactly designed for this use case where people bring in their personal devices and they need secure access to the network.

 

It has a user portal as well which can allow the user to self-enroll their devices.

 

You can read more about it here:

https://meraki.cisco.com/blog/2019/12/meraki-trusted-access/ 

 

 

"In my personal opinion", it works fine with Apple devices at the moment but needs more work around Android and Windows 10.  I think given another 6 months or so it will be a good all rounder.

View solution in original post

7 REPLIES 7
PhilipDAth
Kind of a big deal
Kind of a big deal

There is a new feature of Systems Manager coming out called Trusted Access which will better suit this problem, but that is probably still three to six months away.

 

What you could do is configure a group policy to bypass splash authentication for those users you can see autenticated.  From time to time you could apply this to all currently authenticated users.

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Splash_Page#Creating... 

Hey PhilipDAth,

 

I see where you are going with this... unfortunately I need help with "user" not "client".  SM devices are not the best use here because of them being personal devices and we fluctuate from 70 users to 250 users often depending on the season of the year.

 

We used to do "Using the Clients List" and manually managed each device "Different policies by connection and SSID": https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Blocking_and_Whiteli...

 

However, that became a nightmare to manage and explain.  We thought this "user" and "authentication" method would make it simpler... now it just shifts the issues to a different set of problems.

PhilipDAth
Kind of a big deal
Kind of a big deal

The new "Trusted Access" feature that is coming does not require the device to be managed.  It is exactly designed for this use case where people bring in their personal devices and they need secure access to the network.

 

It has a user portal as well which can allow the user to self-enroll their devices.

 

You can read more about it here:

https://meraki.cisco.com/blog/2019/12/meraki-trusted-access/ 

 

 

"In my personal opinion", it works fine with Apple devices at the moment but needs more work around Android and Windows 10.  I think given another 6 months or so it will be a good all rounder.

I like it... I think I understand then it's management.  The administration is still in control of the permissions after the user self-enrolls?

 

We'd also be in the situation where devices (eg. DVD players, Roku, etc.) things would use the same SSID's.  Still think it would work (in time?).  Think living quarters VIP access.

PhilipDAth
Kind of a big deal
Kind of a big deal

Bonus for you.  Meraki are asking for beta testers and giving away Systems Manager licences to those that sign up.

https://community.meraki.com/t5/Wireless-LAN/Interested-in-trying-out-a-new-802-1x-onboarding-featur... 

 

Your chance to try this out for free!

Tempting!  I just don't have the time to test... I need it to work and for all types of devices 🙂  I'm a one-man show of all things IT for two Org's that are 3 hours apart.

 

Last question/clarification - this can work "without" AD correct?  I'm getting muddled down in the context of its capabilities (lots of if this, then that) descriptions.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Last question/clarification - this can work "without" AD correct?

 

Yes.  In my opinion, it works better without AD (at least at the moment).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels