I'm a network engineer, and I'm facing a peculiar situation where users are experiencing Active Directory (AD) lockouts after trying to authenticate on the WiFi using RADIUS. It seems like the issue occurs when users, particularly those who haven't been in the office for a while, try to log in with cached passwords, resulting in failed authentication attempts that lock their accounts. The WiFi uses AD credentials for authentication, and while we're planning to implement machine certificates eventually, we're not ready for that yet. Does anyone have suggestions on how to prevent these failed WiFi logins from locking out user accounts?
5 Answers
I've noticed that this issue often arises from users' mobile devices, especially if they've connected to the WiFi before. Those devices save old passwords, causing lockouts. A quick fix is to delete the saved WiFi network on their devices. This usually resolves the issue immediately.
That makes sense! I'm seeing this happen a lot with our staff. Looks like we'll have to remind them to delete those old connections.
In my experience, the problem often lies with an old password stored on another device, like a phone or tablet. We don't even dig into the issue anymore; we just advise users to remove the WiFi connection from all their portable devices, unlock their accounts, and then try logging in again. It’s a tried-and-true method!
Switching to EAP-TLS is definitely worth exploring. It's a much more reliable method, and while it may seem complex, with the right setup, it can significantly reduce these kinds of issues in the future.
Checking the logs is essential. They can provide clues about what's triggering these lockouts. If it's internal WiFi, implementing machine certificates could prevent user accounts from getting locked out altogether during failed authentications.
You could also tweak your authentication settings. Set the WiFi Group Policy Object (GPO) to allow fewer attempts before locking an account, and make sure your password lockout policy is significantly higher. That might help with the RADIUS-related lockouts. Plus, seriously consider moving to machine/user certificates for better reliability in the long run.
We've found this to be particularly an issue with iPhones - they save passwords in the keychain, making it a common culprit.