KB40708 - Password change fails during an 802.1x authentication

This KB discusses the number 1 cause of authentication failures when a user is required to change their password during an 802.1x authentication.

In an 802.1x environment where user authentication works successfully and you are using an 802.1x protocol that allows for password change, users intermittently or consistently fail during password change.
 

Time, the number one cause of authentication failures during password change during an 802.1x connection is time. To be more specific the 802.1x timer on the switch or WLC the user is connecting to. This timer is also often referred to as the EAP timer. If this timer, universally measured in seconds, is shorter than the time it takes for an average user to come up with and enter a new password then the authentication will time out.

 

As a matter of course please set the EAP timers for you 802.1x Radius clients to 1 minute or later.