- Fri, May 4 2018 at 3:32 am #533155NormanParticipantMember Points: 188Rank: 2
In my current network, I’m running slightly older OS’s:
Windows Server 2012 R2
Windows 8.1 pro
Some Background information:
A while back I configured our office Wifi to use windows Domain credentials.
The access points perform radius authentication, referencing a DC
The DC has the access points configured as Radius Clients in NPS.
That works as intended. When a user clicks on the SSID of our corp wifi, they are not asked for one shared password, but for a username & password. If they enter valid domain credentials, they gain access.
Mixing of credentials:
Somewhere on the Win 8.1 client there was a setting that said: “Pass the Windows credentials to Wifi”. So: You are already logged onto Windows with your domain account, you do not need to re-enter those same credentials to get on the corp-Wifi.
BUT… I don’t think you can share credentials going the other way. i.e.: “I logged into corp-Wifi successfully, now give those credentials to Windows”. On several occasions I have actually logged into Wifi with one set of credentials, then logged into Win 8.1 with a different set of credentials.
- A user is out of the office for a week
- their domain password expires while they are out of the office.
- They come back to the office
- When they open their laptop, they enter their expired password.
At this point the laptop accepts the expired password as “cached credentials”.
(since the password is expired, the laptop could not automatically connect to corp-Wifi)
- User unlocks their laptop with their expired password.
(they do not even know that the password is expired)
- User figures out they are offline, tries to connect to corp-Wifi
In win 8.1 the built in Wifi UI (that purple stripe on the right) has elements for dealing with expired Radius passwords.
- The Wifi UI will present fields allowing the user to change their password.
- User changes their domain password using this UI.
- User gains access to corp-Wifi
Now the user tries to print on a network printer, and it doesn’t work!
Why? Because while they have successfully updated their domain password, and are connected to the corporate network, they are still logged onto Windows with their old/expired password.
At this point the user gives up and calls tech support.
The correct remedy at this point is:
- Before logging in, connect to corp-Wifi (with the new domain password)
- Login to Windows with the new domain password.
How can I provide a more straight-forward user experience?
The above scenario happens weekly, and traps the user each and every time.
What can I change to avoid this pitfall?
- Fri, May 4 2018 at 1:44 pm #534931Jason ColtrinModeratorMember Points: 677Rank: 2
Sounds like it may just be a user training issue. Doesn’t this happen with mapped drives and other login GPO resources as well? If the printers are mapped during login because of a GPO then there may be no other way around it other than the user running a script of some kind to get the printers back.
- Sat, May 5 2018 at 4:15 am #535031Michael PietroforteKeymasterMember Points: 31,741Rank: 4
If this happens weekly, does that mean user passwords expire every week? If so, this is your main problem. I believe that forcing users to frequently change passwords is not good idea because it increases costs and reduces security. Obviously, frequent password changes trigger many help desk calls. Frequent password changes reduce security because users start to use weak passwords. They are afraid to call help desk again and again because they forgot their password, so they use a password that they can easily remember. And if you enforce strong passwords, users will stick a note with their passwords on their monitor. This is unavoidable.
I covered the topic in more detail here:
If your management insists in frequent password changes, you might want to consider disabling cached credentials because those two policies don’t go well together. More info here:
Another thing you should consider is to ensure that users log off after work. As Jason noted, your configuration can cause all kinds of problems. More info here:
And last but not least, you could force users to log off after they change their password. You could write a PowerShell script that fires whenever a password is changed via the Wifi UI and then forces a user log off. This might help you to get started:0
- You must be logged in to reply to this topic.