Hi all, I’ve got an issue in my company that it’s now some months that is happening to many windows users.
Basically the user change the windows password due to a policy that require every 3 months to change it (I know not ideal, but still) , the user then works fine under wifi for 1-4 hours and then he gets kicked out from the network.
The network is a visible SSID with WPA2-Enterprise security (AES ecncryption) and the authentication method is PEAP using the saved login information (from AD).
Here some test I did for troubleshooting:
1st Test: Normal password change from windows: ctrl alt canc, change pw: All good, no disconnection at all -> user is good to work
2nd Test: We force-reset a new password on the PC -> The users stays connected to wifi even after 15 minutes from the reset, this means that the wireless network kept an “old token” as valid even tho the windows password changed. We manually disconnect from the network (turn off wifi) and reconnect -> doesn’t work We reboot the PC which still logs in with the OLD password -> We try to connect to wifi (without using the new pw) -> KO We connect ethernet cable, we receive the message that the domain has a different pw than the PC -> lock PC -> Unlock with new password -> Wifi still doesn’t work -> Reboot, login to pc with new Password -> wireless works
NOTE: We suspect that this “old token” is not renewed for a while sometimes, that’s why the user, even with an old pw, can still connect and work normally.
Yeah that’s to avoid login issues and be sure that the new pw is synced between the domain and AD. But: I expect that if I reset a pw to a user, he gets kicked out immediately from the wifi, but that’s not the case!
I assume the thing doing the auth for wifi is a radius server. Radius servers have a cache, and they may interrogate any domain controller to validate credentials. I am quite rusty on radius, but there should be a setting for it to have a lower cache time, to the cost of more traffic and shorter resiliency if all domain controllers are down.
Yeah. Check the logs on the radius server or whatever. That’ll tell you exactly what’s happening. No need to speculate.
The tech in charge of the radius said that there is no memory of logged user. Radius server check with AD every time someone authenticates. Is this possible?