Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2647
Views
0
Helpful
4
Replies

Cisco VPN Login Fail After Enable Password Management

Steven Chua
Level 1
Level 1

‎09-24-2012 01:57 AM - edited ‎03-10-2019 07:34 PM

Hi,

I have a VPN setup consist of Cisco ASA, Cisco ACS and a Microsoft LDAP server. The VPN client will be authenticated via the LDAP server and authorized via the ACS.

The software version that I am using is 8.4(3).

The VPN connection is ok until I enabled the Password Management option on the ASA. Thus, I would like to enquire if this is a bug or any additional configuration needed.

Thanks and Rgds

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Tarik Admani
VIP Alumni
VIP Alumni

‎09-24-2012 06:13 AM

You can only use password management with radius since mschapv2 is used to change the password. Ldap doesn't support mschapv2 even though you connec to ad.

You will need acs to join to your ad domain and allow it do perform the authentication.

Thanks

Sent from Cisco Technical Support Android App

0 Helpful

Travis Hysuick
Level 1
Level 1

‎09-24-2012 08:51 AM

Hi Steven,

We had some issues when enabling the password  management feature through ASDM; if you check the box in the gui, it  adds the additional "password-expire-in-days 14" argument, which has  been documented to cause issues (this is directly from the TAC case  engineer I worked with). It was recommended to me to add the password  management option from the CLI to the connection profile without the  expiry option.

ASA(config)# tunnel-group MyVPN general-attributes

ASA(config-tunnel-general)# password-management

There were also some issues in earlier 8.4 releases  (regression of a previously noted bug) that caused auth to fail with  password management enabled, I don't have the bug ID handy but I recall  that it was marked as fixed in 8.4(1).

We are using Active Directory as the external identity store in CSACS with the  Enable Password Change option checked and it is working very well.

Hope this helps!

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni

‎09-24-2012 04:04 PM

I also read in the asa user guide that you can use ldap with AD but you must bind to it using ldaps.

Sent from Cisco Technical Support Android App

0 Helpful

Steven Chua
Level 1
Level 1

‎09-24-2012 08:12 PM

Hi Tarik / Admani,

Noted for the advice, I will join my acs to the ad and enable mschapv2 for the authentication. I will keep you guys updated.

Rgds

0 Helpful
Customers Also Viewed These Support Documents