topic Hello Michael, in Network Access Control

ACS Password Policy

michaelhorv11 — Mon, 11 Mar 2019 06:32:44 GMT

My company would like to replace the existing LDAP servers with Cisco ACS. One requirement of our VPN security policy is that the user must change their VPN account password prior to their first log in. If the user tries to connect to the VPN without changing their password, then they are denied access.

Is there a rule in ACS that can achieve this goal?

Hi Michael,

David Castro F. — Fri, 04 Mar 2016 23:31:42 GMT

Hi Michael,

You can reset the password this way:

Resetting Another Administrator’s Password

To reset another administrator’s password:

*Step 1 Choose System Administration > Administrators > Accounts.

The Accounts page appears with a list of administrator accounts.

*Step 2 Check the check box next to the administrator account for which you want to change the password and click Change Password.

The Authentication Information page appears, listing the date when the administrator’s password was last changed.

*Step 3 In the Password field, enter a new administrator password.

*Step 4 In the Confirm Password field, re-enter the new administrator password.

*Step 5 Check the Change password on next login check box for the other administrator to change password at first login.

*Step 6 Click Submit.

The administrator password is reset.

¿Which Type of Remote Access VPN are you using Anyconnect or VPN client IPsec?

Please rate and mark as correct the this post if it helped you! Keep me posted

David Castro,

I appreciate your response.

michaelhorv11 — Mon, 07 Mar 2016 15:41:47 GMT

I appreciate your response. The users will be connecting to the VPN via AnyConnect. For the AnyConnect users, is there an option to force them to change their password upon first login?

Hello Michael,

David Castro F. — Mon, 07 Mar 2016 18:10:36 GMT

Hello Michael,

Yes, there is a way to change the password, you will need to define "password-management" under the tunnel group that you created for this connection with the AAA server that will authenticate users, please take into account the following information:

ACS can be configured to check the users in an AD database. Password expiry and change is supported when Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) is used;

On an ASA, you can use the password management feature, as described in the next section, in order to force the ASA to use MSCHAPv2. ACS uses the Common Internet File System (CIFS) Distributed Computing Environment/Remote Procedure Call (DCE/RPC) call when it contacts the Domain Controller (DC) directory in order to change the password.

ASA can use both the RADIUS and TACACS+ protocols in order to contact with the ACS for an AD password change, the command:

ASA(config)# tunnel-group general-attributes

ASA(config-tunnel-general)# password-management

For further information, on PAP and MSCHAP along with radius, you may find it here:

http://www.cisco.com/c/en/us/support/docs/network-management/remote-access/116757-config-asa-remote-00.pdf

Please proceed to rate this post and the previous one and mark it as correct, keep me posted if something comes up!

Regards,

David Castro,