Viewing 2 reply threads
  • Author
    Posts
    • #533155
      Norman
      Participant
      Member Points: 188
      Rank: 2

      Hi,

      In my current network, I’m running slightly older OS’s:

      Windows Server 2012 R2
      Windows 8.1 pro

      Some Background information:

      A while back I configured our office Wifi to use windows Domain credentials.

      The access points perform radius authentication, referencing a DC
      The DC has the access points configured as Radius Clients in NPS.

      That works as intended.  When a user clicks on the SSID of our corp wifi, they are not asked for one shared password, but for a username & password.  If they enter valid domain credentials, they gain access.

      Mixing of credentials:
      Somewhere on the Win 8.1 client there was a setting that said: “Pass the Windows credentials to Wifi”.    So:  You are already logged onto Windows with your domain account, you do not need to re-enter those same credentials to get on the corp-Wifi.

      BUT… I don’t think you can share credentials going the other way.  i.e.: “I logged into corp-Wifi successfully, now give those credentials to Windows”.   On several occasions I have actually logged into Wifi with one set of credentials, then logged into Win 8.1 with a different set of credentials.

       

      The Problem:

      • A user is out of the office for a week
      • their domain password expires while they are out of the office.
      • They come back to the office
      • When they open their laptop, they enter their expired password.

      At this point the laptop accepts the expired password as “cached credentials”.
      (since the password is expired, the laptop could not automatically connect to corp-Wifi)

      • User unlocks their laptop with their expired password.
        (they do not even know that the password is expired)
      • User figures out they are offline, tries to connect to corp-Wifi

      In win 8.1 the built in Wifi UI (that purple stripe on the right) has elements for dealing with expired Radius passwords.

      • The Wifi UI will present fields allowing the user to change their password.
      • User changes their domain password using this UI.
      • User gains access to corp-Wifi

      Now the user tries to print on a network printer, and it doesn’t work!
      Why?   Because while they have successfully updated their domain password, and are connected to the corporate network, they are still logged onto Windows with their old/expired password.

      At this point the user gives up and calls tech support.
      The correct remedy at this point is:

      • Logoff
      • Before logging in, connect to corp-Wifi (with the new domain password)
      • Login to Windows with the new domain password.

      My Question:
      How can I provide a more straight-forward user experience?
      The above scenario happens weekly, and traps the user each and every time.
      What can I change to avoid this pitfall?
       

       

      +1
      avatar
    • #534931
      Jason Coltrin
      Moderator
      Member Points: 677
      Rank: 2

      Sounds like it may just be a user training issue. Doesn’t this happen with mapped drives and other login GPO resources as well? If the printers are mapped during login because of a GPO then there may be no other way around it other than the user running a script of some kind to get the printers back.

      +2
      avataravatar
    • #535031
      Michael Pietroforte
      Keymaster
      Member Points: 31,741
      Author of the year 2018
      Rank: 4

      If this happens weekly, does that mean user passwords expire every week? If so, this is your main problem. I believe that forcing users to frequently change passwords is not good idea because it increases costs and reduces security. Obviously, frequent password changes trigger many help desk calls. Frequent password changes reduce security because users start to use weak passwords. They are afraid to call help desk again and again because they forgot their password, so they use a password that they can easily remember. And if you enforce strong passwords, users will stick a note with their passwords on their monitor. This is unavoidable.

      I covered the topic in more detail here:

      Is the default Active Directory password policy good?

      If your management insists in frequent password changes, you might want to consider disabling cached credentials because those two policies don’t go well together. More info here:

      Cached domain logon

      Another thing you should consider is to ensure that users log off after work. As Jason noted, your configuration can cause all kinds of problems. More info here:

      Automatically log off idle users in Windows

      And last but not least, you could force users to log off after they change their password. You could write a PowerShell script that fires whenever a password is changed via the Wifi UI and then forces a user log off. This might help you to get started:

      Log off multiple users on a schedule with PowerShell

      0
Viewing 2 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account