802.1x authentication fails on password change, if new password doesn't meet complexity req

%3CLINGO-SUB%20id%3D%22lingo-sub-1327898%22%20slang%3D%22en-US%22%3E802.1x%20authentication%20fails%20on%20password%20change%2C%20if%20new%20password%20doesn't%20meet%20complexity%20req%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1327898%22%20slang%3D%22en-US%22%3E%3CP%3E%3CBR%20%2F%3EHello%20there%2C%20we're%20having%20some%20problems%20with%20windows%20user%20password%20changes%20in%20our%20802.1x%20network%20environment%20and%20as%20I'm%20not%20sure%20how%20to%20deal%20with%20it%2C%20I'd%20like%20to%20ask%20for%20help.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSTRONG%3EOur%20environment%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EWe%20are%20running%20windows%20domain%20on%20top%20of%20802.1x-enabled%20network%20with%20single%20sign%20on%2C%20meaning%20that%20user%20has%20single%20credentials%20for%20both%20the%20network%20and%20his%20AD%20account.%20Network-wise%2C%20if%20the%20user%20authenticates%20successfully%20against%20our%20MS%20NPS%20(radius)%20servers%2C%20he%20is%20placed%20into%20authenticated%20vlan.%20If%20he%20doesn%E2%80%99t%2C%20he%20is%20placed%20into%20guest%20(unauthenticated)%20vlan%2C%20with%20no%20way%20of%20reaching%20the%20AD%20computers.%20%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20far%20as%20I%20know%2C%20the%20Windows%20computer%20first%20authenticates%20%26nbsp%3Bto%20the%20network%20and%20then%20tries%20to%20reach%20the%20domain%20and%20log%20in%20via%20domain%20account.%20This%20generally%20does%20work%20very%20well%2C%20however%20we%20have%20some%20problems%20with%20situation%20where%20user%20tries%20to%20log%20in%20with%20expired%20password.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EWhat%20works%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EDue%20to%20our%20AD%20password%20expiration%20policy%2C%20user%20passwords%20expire%20every%20few%20months.%20After%20user%20tries%20to%20log%20in%20with%20expired%20password%2C%20he%20is%20greeted%20with%20windows%20password%20reset%20dialog.%20If%20the%20user%20enters%20password%20that%20meets%20the%20complexity%20requirements%2C%20he%20changes%20his%20password%20successfully.%20So%20far%20so%20good.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EWhat%20does%20not%20work%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EIf%20the%20user%20enters%20password%20that%20doesn%E2%80%99t%20meet%20the%20complexity%20requirements%2C%20he%20is%20not%20informed%20about%20this%20failure%2C%20but%20this%20failure%20is%20recorded%20in%20the%20NPS%20Event%20log%20(%3CSTRONG%3Eevent%20ID%206273%3C%2FSTRONG%3E).%20This%20results%20in%20%E2%80%9Caccess%20denied%E2%80%9D%20for%20the%20user%2C%20which%20means%20that%20the%20user%20ends%20up%20in%20unauthorized%20(guest)%20network.%20However%2C%20Windows%20logs%20the%20user%20in%20successfully%20(with%20the%20expired%20password!).%20How%20is%20this%20possible%3F%3C%2FP%3E%3CP%3EUser%20password%20isn%E2%80%99t%20changed%2C%20checkbox%20%22User%20must%20change%20password%20at%20next%20logon%22%20is%20checked%20in%20his%20AD%20profile.%20If%20the%20user%20tries%20to%20log%20in%20again%2C%20he%20is%20again%20greeted%20with%20password%20reset%20dialog%20and%20if%20he%20again%20fails%20to%20meet%20the%20complexity%20requirements%2C%20the%20whole%20problem%20repeats%20itself.%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20problem%20seems%20to%20be%20that%20the%20NPS%20deny%20message%20(The%20user%20could%20not%20change%20his%20or%20her%20password%20because%20the%20new%20password%20did%20not%20meet%20the%20password%20requirements%20for%20this%20network)%20is%20something%20windows%20doesn't%20understand%20and%20instead%20of%20showing%20the%20user%20another%20password%20dialog%2C%20it%20just%20fails%20completely%20and%20falls%20into%20unauthorized%20VLAN.%20But%20this%20is%20just%20pure%20speculation.%26nbsp%3B%3CBR%20%2F%3EI'm%20also%20attaching%20screenshots%20of%20the%20event%20log%20message%20and%20our%20802.1x%20wired%20profile%20settings.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1327898%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Visitor


Hello there, we're having some problems with windows user password changes in our 802.1x network environment and as I'm not sure how to deal with it, I'd like to ask for help.

Our environment:

We are running windows domain on top of 802.1x-enabled network with single sign on, meaning that user has single credentials for both the network and his AD account. Network-wise, if the user authenticates successfully against our MS NPS (radius) servers, he is placed into authenticated vlan. If he doesn’t, he is placed into guest (unauthenticated) vlan, with no way of reaching the AD computers.  

As far as I know, the Windows computer first authenticates  to the network and then tries to reach the domain and log in via domain account. This generally does work very well, however we have some problems with situation where user tries to log in with expired password.

 

What works:

Due to our AD password expiration policy, user passwords expire every few months. After user tries to log in with expired password, he is greeted with windows password reset dialog. If the user enters password that meets the complexity requirements, he changes his password successfully. So far so good.

 

What does not work:

If the user enters password that doesn’t meet the complexity requirements, he is not informed about this failure, but this failure is recorded in the NPS Event log (event ID 6273). This results in “access denied” for the user, which means that the user ends up in unauthorized (guest) network. However, Windows logs the user in successfully (with the expired password!). How is this possible?

User password isn’t changed, checkbox "User must change password at next logon" is checked in his AD profile. If the user tries to log in again, he is again greeted with password reset dialog and if he again fails to meet the complexity requirements, the whole problem repeats itself.

The problem seems to be that the NPS deny message (The user could not change his or her password because the new password did not meet the password requirements for this network) is something windows doesn't understand and instead of showing the user another password dialog, it just fails completely and falls into unauthorized VLAN. But this is just pure speculation. 
I'm also attaching screenshots of the event log message and our 802.1x wired profile settings. 


0 Replies