This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I'm setting up VPN authentication using ACS 5.1 and ASA 8.0.5. User connects using Cisco VPN client, and is authenticated to Internal users db on ACS. Everything works, except that if "Change password on next login" is checked for a user, the login will fail. The Radius log on ACS says user need to change password. However it didn't prompt for the password change. I know there must be a simple option either in VPN client profile or ini file, or on ASA tunnel group definition. However I tried several options, still couldn't make it work. Does anyone know?
I also stuck with the same issue and have no idea how to encourage user to change their password. Please share if you have any clue.
Hi all, I'm having this same issue, is there any way to make users change their passwords via a prompt in the vpn client, Im using ASA 8.2 and ACS 4.2.
A response from Cisco would be appreciate.
To make it work, MS-CHAPv2 must be selected in allowed protocol under ACS access policy. And under VPN tunnel group, enable password management. However this does't fix the issue in my case. Because all my other users should be using PAP/ASCII, when MS-CHAPv2 enabled, somehow all authentication would be using MS-CHAPv2 and fail. And I can't think of a way to define two different VPN policies to separate these two type of authenticaton requests.
Password change/management through RADIUS is not supported for users in the local database. Password management to users in external stores is supported, and is documented in CSCsj50218 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj50218).
That being said, while not officially supported, password management to the ACS internal database for VPN users connecting to an ASA is known to work over TACACS on both ACS 4.x and 5.1+.
tunnel-group RA general-attributes
The password-management command changes the behavior so that the ASA is forced to use MSCHAPv2, rather than PAP, in the Radius-Request.