Solved: "Enable Password Change" MS-CHAPv2 option and expired AD users passwords

valinev · ‎09-06-2016

Hi everyone!

Can someone please clarify what exactly to expect when AD user password has expired?

Without any dot1x in place, on the next login user will be notified about the expired password and will be prompted by the login window itself to set the new password. Now we introduce dot1x, PEAP MS-CHAPv2, and tick 'Allowed protocols \ PEAP MS-CHAPv2 \ Enable Password Change' option on ISE. I know that this option allows changing AD password while current one is still valid, but what will happen when password is expired?

On a side note, what are the usual/recommended way of handling users with expired passwords? Opening up pre-auth ACL (permit Kerberos to AD DCs) so password change can happen even without successful auth?

Thanks!

Jason Kunst · ‎09-07-2016

Usually the password policies are set such as when to allow a user to change a password and when to expire the password. I do not believe the users got prompted to change passwords unless already expired. When not-yet-expired, they would update the passwords by other means. (Password change page facility external to ISE, you can use the ISE my devices or sponsor portals to do this by customizing it with some messaging)

Right you would need to open up the ACL that is used before user logs into the machine so they can talk to AD to do the password change. This would be at machine authentication state

page 9 of this doc may help you out

How To: Deploy ISE in Low Impact Mode

View solution in original post

Jason Kunst · ‎09-07-2016

Usually the password policies are set such as when to allow a user to change a password and when to expire the password. I do not believe the users got prompted to change passwords unless already expired. When not-yet-expired, they would update the passwords by other means. (Password change page facility external to ISE, you can use the ISE my devices or sponsor portals to do this by customizing it with some messaging)

Right you would need to open up the ACL that is used before user logs into the machine so they can talk to AD to do the password change. This would be at machine authentication state

page 9 of this doc may help you out

How To: Deploy ISE in Low Impact Mode

valinev · ‎09-07-2016

Hi Jason,

Thanks for the reply!

Yeah, you are right, users will get prompter to change their passwords only when password has already expired. It will pop up as native windows logon client, nothing to do with ISE. Opening up the pre-auth ACL to allow them to reset their AD passwords was my first thought, but customer is reluctant to do this, since they do not want to expose their AD to unauthenticated users. I know there is an option of Read Only Domain Controller (RODC) for those who do not want to expose their AD, but customer is not eager to go this way.

So I am trying to clarify what this MSHAP Enable Password Change option gives us when AD password already expired. Will user be able to get this Windows logon client pop up and change his password?

<http://www.cisco.com/neverbetter>

Vadim Linev

ARCHITECT.SOLUTIONS

Cisco Services

CCIE Security - 37396

Jason Kunst · ‎09-08-2016

Correct password change will happen. If customer doesn't want to expose AD then they will need to make sure they don't allow expiration. Would recommend they deploy a method to handle password change before this would happen and notify the user well ahead of time