[afnog] IBNS (dot1X) Windows password expiry

John Gitau JGitau at Safaricom.co.ke
Wed Mar 1 09:37:36 EAT 2006


Guys,
Something totally has me stumped.

I have implemented Dot1X (IBNS) on a wired network using Cisco 3750's,
cisco solution engine (ACS), with windows active directory acting as the
backend database. Users are running windows XP. It works perfectly apart
from one nagging problem.

Users come in , log on to the network, get authenticated and happily go
on about their duties. But we also have a policy to expire passwords
every once in a while. Before we implemented the authentication, users
would get notifications on how soon their passwords would expire, giving
them enough time to change their passwords. 

My problems:

1 - Users are not getting the notifications any more.
2 - They keep getting domain not available errors - this is especially
so for new laptops that have never been on the network.
2 - When they finally change their passwords, (sometimes from
un-authenticated ports) XP only lets them log on to their PC's using the
old password. *I think XP checks on the cache before the network for log
on details, Unfortunately when they gain access to their PC's/laptops,
the ACS/switches don't give the users access to networking resources
since they have not authenticated to the network. (we have it configured
such that the username and password you use to log on to your
workstation is the same password sent for authentication.

Is there anything specific to password expiry and renewal I need to be
checking on either the ACS or the active directory.

**Gitau



More information about the afnog mailing list