topic Re: No prompt for password change for VPN client authenticate us in Network Access Control

No prompt for password change for VPN client authenticate using ACS local DB

jintao99 — Mon, 11 Mar 2019 00:27:54 GMT

I'm setting up VPN authentication using ACS 5.1 and ASA 8.0.5. User connects using Cisco VPN client, and is authenticated to Internal users db on ACS. Everything works, except that if "Change password on next login" is checked for a user, the login will fail. The Radius log on ACS says user need to change password. However it didn't prompt for the password change. I know there must be a simple option either in VPN client profile or ini file, or on ASA tunnel group definition. However I tried several options, still couldn't make it work. Does anyone know?

Thanks,

Tao

Re: No prompt for password change for VPN client authenticate us

rodmunch999 — Tue, 05 Oct 2010 01:59:05 GMT

I believe the change password a next logon will only work if user logs into a device using telnet.

Re: No prompt for password change for VPN client authenticate us

jintao99 — Tue, 05 Oct 2010 14:43:56 GMT

Can someone from Cisco confirm if this is the case? Hard to believe that this won't work.

Thanks,

Tao

Re: No prompt for password change for VPN client authenticate us

iam_pomme — Tue, 16 Nov 2010 07:22:13 GMT

I also stuck with the same issue and have no idea how to encourage user to change their password. Please share if you have any clue.

Thanks.

PK,

Re: No prompt for password change for VPN client authenticate us

hector.ricapa — Mon, 29 Nov 2010 16:00:47 GMT

Hi all, I'm having this same issue, is there any way to make users change their passwords via a prompt in the vpn client, Im using ASA 8.2 and ACS 4.2.

A response from Cisco would be appreciate.

Thanks

Re: No prompt for password change for VPN client authenticate us

jintao99 — Mon, 29 Nov 2010 16:35:23 GMT

To make it work, MS-CHAPv2 must be selected in allowed protocol under ACS access policy. And under VPN tunnel group, enable password management. However this does't fix the issue in my case. Because all my other users should be using PAP/ASCII, when MS-CHAPv2 enabled, somehow all authentication would be using MS-CHAPv2 and fail. And I can't think of a way to define two different VPN policies to separate these two type of authenticaton requests.

Re: No prompt for password change for VPN client authenticate us

slawford — Wed, 01 Dec 2010 23:34:52 GMT

Password change/management through RADIUS is not supported for users in the local database. Password management to users in external stores is supported, and is documented in CSCsj50218 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj50218).

That being said, while not officially supported, password management to the ACS internal database for VPN users connecting to an ASA is known to work over TACACS on both ACS 4.x and 5.1+.

Steve.

tunnel-group RA general

Eternity — Thu, 22 Sep 2016 07:44:50 GMT

tunnel-group RA general-attributes
 authentication-server-group ACS
 password-management

The password-management command changes the behavior so that the ASA is forced to use MSCHAPv2, rather than PAP, in the Radius-Request.