this post was submitted on 11 Jul 2024
7 points (88.9% liked)

networking

2811 readers
1 users here now

Community for discussing enterprise networks and the ensuing chaos that comes after inheriting or building one.

founded 1 year ago
MODERATORS
 

Hi all, I've got an issue in my company that it's now some months that is happening to many windows users.

Basically the user change the windows password due to a policy that require every 3 months to change it (I know not ideal, but still) , the user then works fine under wifi for 1-4 hours and then he gets kicked out from the network.

The network is a visible SSID with WPA2-Enterprise security (AES ecncryption) and the authentication method is PEAP using the saved login information (from AD).

Here some test I did for troubleshooting:

1st Test: Normal password change from windows: ctrl alt canc, change pw: All good, no disconnection at all -> user is good to work

2nd Test: We force-reset a new password on the PC -> The users stays connected to wifi even after 15 minutes from the reset, this means that the wireless network kept an "old token" as valid even tho the windows password changed. We manually disconnect from the network (turn off wifi) and reconnect -> doesn't work We reboot the PC which still logs in with the OLD password -> We try to connect to wifi (without using the new pw) -> KO We connect ethernet cable, we receive the message that the domain has a different pw than the PC -> lock PC -> Unlock with new password -> Wifi still doesn't work -> Reboot, login to pc with new Password -> wireless works

NOTE: We suspect that this "old token" is not renewed for a while sometimes, that's why the user, even with an old pw, can still connect and work normally.

you are viewing a single comment's thread
view the rest of the comments
[–] themoonisacheese@sh.itjust.works 6 points 4 months ago (2 children)

I assume the thing doing the auth for wifi is a radius server. Radius servers have a cache, and they may interrogate any domain controller to validate credentials. I am quite rusty on radius, but there should be a setting for it to have a lower cache time, to the cost of more traffic and shorter resiliency if all domain controllers are down.

[–] catloaf@lemm.ee 2 points 4 months ago

Yeah. Check the logs on the radius server or whatever. That'll tell you exactly what's happening. No need to speculate.

[–] PeroBasta@lemmy.world 1 points 4 months ago

The tech in charge of the radius said that there is no memory of logged user. Radius server check with AD every time someone authenticates. Is this possible?