Thanks a bunch.

Password-management will work with Radius and LDAP. When using radius you will not be notified a certain number of days before password expiration, but you will be notified when it expires and will be able to change it.

When my client connects to our PIX then he is prompted for his AD username and password. If the password has expired it just keeps asking him for his password and then locks his account.

What have I do wrong or maybe better how do you properly set this up on a radius server.

Thanks.

This is the command you are looking for.

password-management

http://cisco.com/en/US/docs/security/asa/asa71/command/reference/p_711.html#wp1643267

Once enabled on the firewall all you have to do is make sure you are allowing mschap v2 in your remote access policy on IAS server.

When the user connects to the vpn and their password has expired, it will prompt them to change their password.

hostname(config)# tunnel-group group-name general-attributes

hostname(config-tunnel-general)# password-management

edit: There is also a checkbox in the remote access policy in IAS to "allow user to change password after it expires"...check it.

It sounds like you are using LDAP right now. In order to enable password management with LDAP you must use Secure LDAP. At the command line it is "ladp-over-ssl", in ASDM it is a check box on the LDAP server page. (LDAP configuration starts at page 13-12 in the 8.0 CLI Config Guide; the requirement for LDAP over SSL to enable password management is mentioned on page 30-10).

To enable LDAP over SSL on the AD LDAP server you will need to install a certificate on the server. Once the certificate is installed no other configuration is required on the AD server.

HI I am trying to get my asa to use a radius server and authenticate with the domain, i just cant seem to get it to work. when i do the test in the asa it always fails. i do get an error on the server about wrong password but i still cant figure it out, any direction would be appreciated

Hello,

Verify the you are using MS-CHAPv2 on your radius server under IAS and Routing and Remote Access services and on your ASA. It would help if you have more details about your configurations. Thanks.

Sounds like your Radius Shared Secret doesn't match what's on the ASA.

Steve,

The "test" feature in the ASA uses PAP. If PAP is not enabled on your radius server it will fail with invalid password.

If you are running IAS, enable PAP in the remote access policy or test from a vpn client, not from the "test" function in the ASA.

thanks i will try it, i also tried the vpn client and was able to connect however it used local authentication rather than the AD.

yep tried it still get user rejected the reason it says in windows is The connection attempt did not match any connection request policy.

but i do have a policy setup.

What is defined in your connection request policy?

i have match username to wildcard and then have tried authenticate requests on this server and also without credentials

Try it without the username value. By default the policy "use windows authentication for all users" is only set to day and time restriction permit all. I would try that.