Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4410
Views
0
Helpful
7
Replies

No prompt for password change for VPN client authenticate using ACS local DB

jintao99
Level 1
Level 1

‎10-04-2010 02:15 PM - edited ‎03-10-2019 05:27 PM

I'm setting up VPN authentication using ACS 5.1 and ASA 8.0.5. User connects using Cisco VPN client, and is authenticated to Internal users db on ACS. Everything works, except that if "Change password on next login" is checked for a user, the login will fail. The Radius log on ACS says user need to change password. However it didn't prompt for the password change. I know there must be a simple option either in VPN client profile or ini file, or on ASA tunnel group definition. However I tried several options, still couldn't make it work. Does anyone know?

Thanks,

Tao

1 person had this problem
Labels:
0 Helpful
7 Replies 7

rodmunch999
Level 1
Level 1

‎10-04-2010 06:59 PM

I believe the change password a next logon will only work if user logs into a device using telnet.

0 Helpful

jintao99
Level 1
Level 1
In response to rodmunch999

‎10-05-2010 07:43 AM

Can someone from Cisco confirm if this is the case? Hard to believe that this won't work.

Thanks,

Tao

0 Helpful

iam_pomme
Level 1
Level 1

‎11-15-2010 11:22 PM

I also stuck with the same issue and have no idea how to encourage user to change their password. Please share if you have any clue.

Thanks.

PK,

0 Helpful

hector.ricapa
Level 1
Level 1

‎11-29-2010 08:00 AM

Hi all, I'm having this same issue, is there any way to make users change their passwords via a prompt in the vpn client, Im using ASA 8.2 and ACS 4.2.

A response from Cisco would be appreciate.

Thanks

0 Helpful

jintao99
Level 1
Level 1

‎11-29-2010 08:35 AM

To make it work, MS-CHAPv2 must be selected in allowed protocol under ACS access policy. And under VPN tunnel group, enable password management. However this does't fix the issue in my case. Because all my other users should be using PAP/ASCII, when MS-CHAPv2 enabled, somehow all authentication would be using MS-CHAPv2 and fail. And I can't think of a way to define two different VPN policies to separate these two type of authenticaton requests.

0 Helpful

slawford
Cisco Employee
Cisco Employee

‎12-01-2010 03:34 PM

Password change/management through RADIUS is not supported for users in the local database. Password management to users in external stores is supported, and is documented in CSCsj50218 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsj50218).

That being said, while not officially supported, password management to the ACS internal database for VPN users connecting to an ASA is known to work over TACACS on both ACS 4.x and 5.1+.

Steve.

0 Helpful

Eternity
Level 1
Level 1

‎09-22-2016 12:44 AM 

tunnel-group RA general-attributes
 authentication-server-group ACS
 password-management

The password-management command changes the behavior so that the ASA is forced to use MSCHAPv2, rather than PAP, in the Radius-Request.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents