Re: 802.1X password reset issues

[Brian Epstein <bepstein () IAS EDU>]

Hi Jim,

Full disclosure, I've not implemented this, but am looking to do so at a
future time.

Which part of your infrastructure is doing the locking?  If it is your
directory, and you are using AD, you should be able to set the Password
History Check to a higher setting to avoid this exact situation.  Then,
you would just need some way of identifying users in this situation and
reminding them of the offending devices.

"Password history check (N-2): Before a Windows Server 2003 operating
system increments badPwdCount, it checks the invalid password against
the password history. If the password is the same as one of the last two
entries that are in the password history, badPwdCount is not incremented
for both NTLM and the Kerberos protocol. This change to domain
controllers should reduce the number of lockouts that occur because of
user error."

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc780271(v=ws.10)

Thanks,
ep

On 11/14/2018 03:37 PM, Pardonek, Jim wrote:
> We are getting some grumbling from several staff that get into a
> password lockout condition when changing their twice a year required
> password.  We mostly see this when people have multiple devices
> connected to the wireless network and they forget one of them and it
> locks out from re-auth requests or if they don’t change the password for
> their email client and that locks us out.  We have recommended
> procedures (turn off all devices but one and re-do the password one at a
> time).  We’ve tried to make it less painful by upping the number of
> failed password attempts before it locks out, but I don’t want to get to
> a point where we sacrifice security for convenience.  Any any of you
> folks have similar issues and what have you done to make it easier?
>
>  
>
> Thanks,
>
>  
>
> Jim
>
>  
>
>  
>
> *James Pardonek, MS, CISSP, CEH, GSNA*
>
> *Information Security Officer**
> Loyola University Chicago 
> 1032 W. Sheridan Road | Chicago, IL  60660
> **
> (**: (773) 508-6086*
>
>  
>
> *Loyola University Chicago will never ask you for your username or
> password.*
>
> *For the lastest information security news at Loyola, please follow us
> online,*
>
> *Twitter: @LUCUISO*
>
> *Facebook: https://www.facebook.com/lucuiso/*
>
> *Our Blog http://blogs.luc.edu/uiso/*
>
>  



-- 
Brian Epstein <bepstein () ias edu>                     +1 609-734-8179
Manager, Network and Security           Institute for Advanced Study
Key fingerprint = A6F3 9F5A 26C5 5847 79ED  C34C C0E5 244A 55CA 2B78

Attachment: signature.asc
Description: OpenPGP digital signature