Re: Password Change/Reset for non domain users an 802.1x NAC setup

[Jason Youngers <jyoungers () ITHACA EDU>]

Just a heads up that Microsoft is recommending a move away from MSCHAPv2 based connections. For those who are 
considering Credential Guard, I believe MSCHAPv2 is not supported and we must move to TLS.

https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-considerations

Thanks,
Jason

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Francisco Chavez
Sent: Tuesday, November 14, 2017 11:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Password Change/Reset for non domain users an 802.1x NAC setup

If you have 802.1x configured to use EAP-MSCHAPv2 (Microsoft) this will automatically prompt the user to update his/her 
password on the device. This method works for both Macs and PC’s. If someone forgot their password and couldn’t get 
into there account… you could set up a quarantine policy with the NAC that would have a walled garden with limited 
access to a password reset utility or similar service.

I.E. VLAN (A) 802.1X
            VLAN (B) Quarantine VLAN (Walled Garden)


Regards,
- Francisco Chavez

-----------------------------------------------------------------------------------
Francisco Chavez
Manager, IT Security | Saint Mary's College of California
925-631-8236 | fac3 () stmarys-ca edu<mailto:fac3 () stmarys-ca edu>

[cid:image001.jpg@01D35EE8.625CF840]

On Nov 14, 2017, at 7:42 AM, Ronald King <ronald.king () MORGAN EDU<mailto:ronald.king () morgan edu>> wrote:

We have had a similar conundrum. It also impacts those that have had a password expire. Do you have a Quarantine VLAN 
the computer be moved to that allows access to whitelisted systems that include a password reset tool?

Ronald A. King, CISSP
Chief Information Security Officer
Morgan State University                                                                                Office: (443) 
885-3372
1700 E. Cold Spring Ln.                                                                                Email:           
   ronald.king () morgan edu<mailto:ronald.king () morgan edu>
Baltimore, MD 21251                                                                       URL:   
http://www.morgan.edu<http://www.morgan.edu/>

                                          Growing the future ... Leading the 
world<http://www.morgan.edu/Documents/ABOUT/StrategicPlan/StrategicPlan2011-21_Final.pdf>


On Tue, Nov 14, 2017 at 7:52 AM, Wessam Maher <0000001fe3498f17-dmarc-request () listserv educause 
edu<mailto:0000001fe3498f17-dmarc-request () listserv educause edu>> wrote:
Hi All,

I am willing to get suggestions on how to implement password change/reset on 802.1x NAC setup, for example if I am a 
student and my PC is not on domain and I forgot my password how can I login to change/reset my password while 802.1x 
network authentication can't allow me to get an IP to communicate initially.....

Appreciate your suggestions


Best Regards,

Wessam Maher CGEIT, CRISC, CISSP
Principal Campus Information Security Officer - PCISO
Office of Information Technology
The American University in Cairo
E wessam.maher () aucegypt edu<mailto:wessam.maher () aucegypt edu> •  T +2022615.3543
W 
www.aucegypt.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.aucegypt.edu_&d=DwMFaQ&c=0CCt47_3RbNABITTvFzZbA&r=hF9utfnfkGfY793x81M4Gr0nwxs9KYTZ6TUPUh4wPjs&m=95gPdU_SrwcibT88BP3_cgRZ36_d_visw2Mx4HSzH8E&s=jtWqFqsnwBe1tXjFcA_Ua3TK85Cl7l0kFjX879y4gow&e=>