Meraki

Community

Wireless Clients lose connection after changing AD-Credentials (password).

Printen-IT
Comes here often
‎Aug 12 2019 3:49 AM
‎Aug 12 2019 3:49 AM

Wireless Clients lose connection after changing AD-Credentials (password).

Hi everyone,

i have got a problem. We have an SSID for Smartphones / Tablets for the official use in our company and it works fine with one exception. 

Our users have to change their AD password every 90 days. They do it from the PC / Notebook connected to the Network. After that the credentials on their smartphones are of cause expired. But our IOS and Android devices don't prompt their users to refresh their password.

 

What is IOS doing: After a certain time you will be disconnected from the Network. No Message at all!

What is Android doing: Same behavior. But if you navigate to settings you will see that there is an problem with Authentication. But my useres will not recognize that they are disconnected from the wireless network.

 

So at the moment IOS users have to delete the whole network in settings (don't rembember this SSID). After that they are able to enter their credentials and it works fine.

Android users need to open settings and refresh their password.

 

I have got a large number of users to support. To get around the problem i could trigger an event, sending an email to those people whose password has expired. But it is a "get arround the problem" solution 😞

 

The only thing IOS and Android has to do is to prompt their users to refresh the password.

Is there anything i can do?

 

My Configuration:

WPA2-Enterprise with my Radius Server

Radius Server (Windows NPS, WinServer 2016)

User-Authentication (user has to be in an specific Active Directory Group)

Authentication Method: EAP-MSCHAP v2

0 Kudos
3 Replies 3
Raj66
Meraki Employee
Meraki Employee
‎Aug 13 2019 8:44 AM
‎Aug 13 2019 8:44 AM

Are you using splash page with AD authentication? If so, what is the splash frequency set to? If you set the splash frequency to correlate around the same when the customer's authentication will expire, The AP will try re-authenticating the clients. If the s[plash page frequency is set to a greater time than 90 days, the AP will not prompt the client to proactively re-authenticate as from APs point their previous auth session is still valid. Let me know if this helps.

 

Cheers!

 

Raj

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
0 Kudos
In response to Raj66
Printen-IT
Comes here often
‎Aug 14 2019 12:31 AM
‎Aug 14 2019 12:31 AM

Hi Raj66, thanks for your solution approach. But we are not using a splash page.

We just have to enter our AD-Credentials "username" "password" to get access to the network.

 

My Configuration:

WPA2-Enterprise with my Radius Server

Radius Server (Windows NPS, WinServer 2016)

User-Authentication (user has to be in an specific Active Directory Group)

Authentication Method: EAP-MSCHAP v2

Bild.png

0 Kudos
In response to Printen-IT
Raj66
Meraki Employee
Meraki Employee
‎Aug 14 2019 10:15 AM
‎Aug 14 2019 10:15 AM

@Printen-IT Got you. If we are not using a splash page, I do not think we can do anything from the Meraki side to proactively trigger the end clients when using radius authentication as the APs will act merely as bridges in between the authentication server and supplicant. 

 

One thing you can consider is creating a separate SSID for the phones with something like centralized web authentication with ISE or even do a sign-on splash page with AD authentication so that we can set the splash page frequency to match the credential refresh period so that the clients will re-authenticate.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.