Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Saturday, February 25, 2012 7:32 PM
We are using WPA2 Enterprise PEAP user authentication without certificates for users to access Cisco managed WIFI. I was told that when the MSCHAPV2 settings had been set with "Automatically use my Windows login name and password" box checked, there were too many people getting their domain accounts locked out when they changed their password.
To get around this, they no longer use individual user accounts from the logged in user, but have set up a static user account with a non-expiring password. The box "Automatically use my Windows login name and password" is unchecked and the user credentials entered manually on every laptop.
I can't see any way to specify these alternate user credentials ahead of time in the settings. You have to uncheck the box and wait for Windows to prompt you for credentials before you can enter the information.
This process has become very clunky and is a huge waste of time since someone from IT needs to go to the laptop and enter the settings by hand every time someone wants to connect to WIFI on a different laptop.
Is there some way to enter these alternate user credentials automatically by GPO or else use the logged in domain user's credentials, but not allow it to lock their account out after a password change?
Is there a better way for domain joined laptops to access the WIFI without the possibility of out of date credentials locking out the user's domain account in the future?
All replies (2)
Tuesday, February 28, 2012 10:52 PM
You might want to look at the NPS account lockout feature in Windows 2008 and 2008 R2 server. The NPS server holds a local account lockout policy and tracks the failed logon attempts for users.
Read more on the NPS account lockout feature and how to configure it here:
http://technet.microsoft.com/en-us/library/dd197529(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/ff687746(v=ws.10).aspx
/Hasain
Tuesday, March 27, 2012 8:50 PM
Couldn't you use a MDM and create the credentials on the image that you push down to your iOS devices? That way you only have to do the credentials once per image.