cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1800
Views
0
Helpful
4
Replies
Beginner

Cisco VPN Login Fail After Enable Password Management

Hi,

I have a VPN setup consist of Cisco ASA, Cisco ACS and a Microsoft LDAP server. The VPN client will be authenticated via the LDAP server and authorized via the ACS.

The software version that I am using is 8.4(3).

The VPN connection is ok until I enabled the Password Management option on the ASA. Thus, I would like to enquire if this is a bug or any additional configuration needed.

Thanks and Rgds

4 REPLIES 4
Highlighted
Advocate

Re:Cisco VPN Login Fail After Enable Password Management

You can only use password management with radius since mschapv2 is used to change the password. Ldap doesn't support mschapv2 even though you connec to ad.

You will need acs to join to your ad domain and allow it do perform the authentication.

Thanks

Sent from Cisco Technical Support Android App

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

Cisco VPN Login Fail After Enable Password Management

Hi Steven,

We had some issues when enabling the password  management feature through ASDM; if you check the box in the gui, it  adds the additional "password-expire-in-days 14" argument, which has  been documented to cause issues (this is directly from the TAC case  engineer I worked with). It was recommended to me to add the password  management option from the CLI to the connection profile without the  expiry option.

ASA(config)# tunnel-group MyVPN general-attributes

ASA(config-tunnel-general)# password-management

There were also some issues in earlier 8.4 releases  (regression of a previously noted bug) that caused auth to fail with  password management enabled, I don't have the bug ID handy but I recall  that it was marked as fixed in 8.4(1).

We are using Active Directory as the external identity store in CSACS with the  Enable Password Change option checked and it is working very well.

Hope this helps!

Highlighted
Advocate

Re:Cisco VPN Login Fail After Enable Password Management

I also read in the asa user guide that you can use ldap with AD but you must bind to it using ldaps.

Sent from Cisco Technical Support Android App

Tarik Admani
*Please rate helpful posts*
Highlighted
Beginner

Cisco VPN Login Fail After Enable Password Management

Hi Tarik / Admani,

Noted for the advice, I will join my acs to the ad and enable mschapv2 for the authentication. I will keep you guys updated.

Rgds