Meraki

Community

802.1x Password Prompt Not Appearing After Authentication Failure

thaphucha
New here
‎Oct 13 2024 9:36 PM
‎Oct 13 2024 9:36 PM

802.1x Password Prompt Not Appearing After Authentication Failure

We're having trouble with our 802.1x setup on Meraki APs. When a user's AD password changes, and they try to connect with the old (saved) password, the authentication fails (Access-Reject from NPS). However, the BYOD devices don't prompt users to enter their new credentials and keep trying to reconnect with the outdated password. Only workaround right now is to delete the wifi-profil. Afterwards the user can connect to the ssid again with entering the new correct password

 

 

Current setup:

  • 802.1x (PEAP-MSCHAPv2)
  • Windows NPS as RADIUS
  • AD user authentication

Any advice to ensure devices prompt for new credentials after a failed auth?

0 Kudos
2 Replies 2
Brash
Kind of a big deal
Kind of a big deal
‎Oct 13 2024 9:51 PM
‎Oct 13 2024 9:51 PM

This is an expected behaviour for most clients.

This is one of the reasons many organisations utilize device certificates for WiFi authentication.

There are also some client-side MDM software/configuration options that can synchronize the login password with the Wifi adapter

PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 14 2024 12:46 AM
‎Oct 14 2024 12:46 AM

One novel solution I saw at a company was a powershell script they had written (and scheduled to run once a day) that checked the Active Directory attribute PwdLastSet for each user.  This attribute tells you when a user last changed their password.

 

They sent users who had recently changed their password an email to remind them.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.