I'm a network engineer dealing with a frustrating problem. Our users are seeing their Active Directory accounts getting locked out when they try to connect to WiFi using RADIUS authentication. This seems to happen mostly to users who haven't been in the office for a while, leading me to believe it might be due to cached passwords. Despite having tried to replicate the issue myself, I haven't succeeded. Currently, we're using user credentials for RADIUS authentication and haven't implemented machine certificates yet. How can I stop these failed WiFi login attempts from causing account lockouts?
5 Answers
I've noticed similar issues when users have their cell phones connected. Typically, if they had logged into the WiFi before, their devices save the password. Deleting the saved network from those devices often resolves the lockout problem. Be sure to check on that!
That's accurate. I’d recommend disabling MSCHAP and PEAP for now and switching to certificates when you can. It avoids the hassle of failed authentications altogether.
We've encouraged users to log in at the office at least once a week to help mitigate this issue. Even biweekly might be enough to keep credentials fresh and avoid problems.
While you can set up an external identity provider to prevent AD from noting authentication attempts, that's probably not the best route. Try adjusting your Wi-Fi Group Policy to limit the number of authentication attempts to two, and set your password lockout policy to triple that. It minimizes issues with RADIUS. Seriously consider moving to user and machine certificates instead; relying on passwords can lead to a lot of headaches.
Make sure to check the logs; they can offer good insights into what's going on. Moreover, if you're using internal WiFi, consider shifting to machine certificates. It helps prevent machine attempts from locking out user accounts.
It's usually an old password being stored on some other device like a phone or tablet. We don’t even look into it anymore; we just tell users to remove WiFi from all their portable devices and unlock their account, which works every time. Those devices often use randomized MACs, so tracking them down is pointless.
Yeah, we've seen this quite a bit with iPhones since they save passwords in the keychain. It's a common culprit!