10-04-2010 02:15 PM - edited 03-10-2019 05:27 PM
I'm setting up VPN authentication using ACS 5.1 and ASA 8.0.5. User connects using Cisco VPN client, and is authenticated to Internal users db on ACS. Everything works, except that if "Change password on next login" is checked for a user, the login will fail. The Radius log on ACS says user need to change password. However it didn't prompt for the password change. I know there must be a simple option either in VPN client profile or ini file, or on ASA tunnel group definition. However I tried several options, still couldn't make it work. Does anyone know?
Thanks,
Tao
10-04-2010 06:59 PM
I believe the change password a next logon will only work if user logs into a device using telnet.
10-05-2010 07:43 AM
Can someone from Cisco confirm if this is the case? Hard to believe that this won't work.
Thanks,
Tao
11-15-2010 11:22 PM
I also stuck with the same issue and have no idea how to encourage user to change their password. Please share if you have any clue.
Thanks.
PK,
11-29-2010 08:00 AM
Hi all, I'm having this same issue, is there any way to make users change their passwords via a prompt in the vpn client, Im using ASA 8.2 and ACS 4.2.
A response from Cisco would be appreciate.
Thanks
11-29-2010 08:35 AM
To make it work, MS-CHAPv2 must be selected in allowed protocol under ACS access policy. And under VPN tunnel group, enable password management. However this does't fix the issue in my case. Because all my other users should be using PAP/ASCII, when MS-CHAPv2 enabled, somehow all authentication would be using MS-CHAPv2 and fail. And I can't think of a way to define two different VPN policies to separate these two type of authenticaton requests.
12-01-2010 03:34 PM
Password change/management through RADIUS is not supported for users in the local database. Password management to users in external stores is supported, and is documented in CSCsj50218 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj50218).
That being said, while not officially supported, password management to the ACS internal database for VPN users connecting to an ASA is known to work over TACACS on both ACS 4.x and 5.1+.
Steve.
09-22-2016 12:44 AM
tunnel-group RA general-attributes
authentication-server-group ACS
password-management
The password-management command changes the behavior so that the ASA is forced to use MSCHAPv2, rather than PAP, in the Radius-Request.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide