Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8769
Views
10
Helpful
3
Replies

How to setup to change password for VPN

jjohnson36
Level 1
Level 1

‎08-21-2008 09:07 AM - edited ‎03-10-2019 04:03 PM

We have ASA 5550, Steel-Belted Radius and Windows 2003 Active Directory. I am trying to setup so that the users can change the password when the password expires. We have over 1000 users.

I setup "password-management password-expire-in-days 14" in ASA. At the VPN client, it prompted for the User Name, Password, and Domain. I typed in the password. Then, it prompted me for a screen for the new password and confirm new password. Then, it prompted back the screen for the user name, password and domain. I typed in the new password and got the error message "413 User authentication failed". How do you setup so that the users can change password before the password expires? Any help is greatly appreciated.

Thanks.

Jill

Labels:
0 Helpful
3 Replies 3

smahbub
Level 6
Level 6

‎08-27-2008 05:47 AM

To enable password management, use the password-management command in tunnel-group general-attributes configuration mode. To disable password management, use the no form of this command. To reset the number of days to the default value, use the no form of the command with the password-expire-in-days keyword specified.

If you do not specify this command, no password management occurs. If you do not specify the password-expire-in-days keyword, the default length of time to start warning before the current password expires is 14 days.

jjohnson36
Level 1
Level 1
In response to smahbub

‎09-04-2008 07:44 PM

Thanks for your response.

If I setup Password-Management and do not specify the password-expire-in-days in ASA, do I need to setup anything in Active Directory so that Active Directory will inform the users that their password will expire in 14 days?

Jill

0 Helpful

Danilo Dy
VIP Alumni
VIP Alumni

‎09-03-2008 05:36 AM

If you want Active Directory users to be notified before their password expires, use this script in Windows 2003 and run it in Task Scheduler everyday. Remember to put the user email address in the Active Directory user account properties. You can amend the script to notify the user 9-6-3 days before their password expires. Be creative and add more info in the email, like the URL created in IISADMPWD so that users will know where to change their password.

http://windowsitpro.com/article/articleid/46819/how-can-i-use-a-script-to-determine-password-expiration-dates-for-users-in-a-domain-or-an-organizational-unit-ou-and-send-an-email-message-to-accounts-whose-passwords-expire-soon.html

If you want Active Directory users to change their password before it expires, search for IISADMPWD in Microsoft Knowledgebase. For security, you can copy the IISADMPWD files outside Windows System Directory and point the IIS home directory there. Make the page available only after the user successfully login to the VPN. You can be creative to amend the IISADMPWD files to provide information to users when they browse the page, like password difficulty, etc.

You need IIS and SMTP.

Customers Also Viewed These Support Documents