06-13-2012 11:32 PM - edited 03-10-2019 07:11 PM
Hello,
I've got the above listed Szenario.
Now I've tested the PasswordManagement by configuering the User, that he must change the Password at next Logon (did this on the DomainController)
So now when I connect with AnyConnect, I enter the old PW, then I'm forced to change the PW, and next I get the Message: Access denied.
In ACS I see 3 messages:
24407 User authentication against Active Directory failed since user is required to change his password |
24463 Internal error in the ACS Active Directory |
24408 User authentication against Active Directory failed since user has entered the wrong password next Time I try to connect with the new PW, i get Access, but it's not very comfortable for the Users. Is this the usual Behaviour, or is there something wrong? Thank You! P.S. Domain Controller is MS Win 2003 |
Solved! Go to Solution.
06-14-2012 05:35 AM
I think this may relate to following CDETS on AnyConnect
CSCua41458: AC password change: two conversations, 1st is dropped
It is newly opened and do not ye have further analysis / input
06-14-2012 04:27 AM
Actually, when the option of "force user to change password at next login" is selected in AD, and you do VPN authentication,this will be like password has expired and it has to be changed this time. That's why the ACS report will show "24407 User authentication against Active Directory failed since user is required to change his password".
Since we are using radius so qn the ASA, you have to enable password management for the tunnel-group the
VPN user uses to login:
ASA(config)# tunnel-group
general-attributes ASA(config-tunnel-general)# password-management
So basically, when you select 'change password at next login' on AD, 'enable password change' on ACS, and enable 'password-management' on ASA, and a user tries to login, the first response sent by the ACS to ASA would be 'access reject'. The ACS report would show '24407 User authentication against Active Directory failed since user is required to change his password'. Immediately after this, the VPN user would get a prompt to change his password. Finally, ACS will send an 'access accept' reply. So, for this request, 2 ACS logs would be created- one for access reject and another for access accept.
Hope this helps.
-Jatin
Do rate helpful posts-
06-14-2012 05:12 AM
Hello Jatin,
thank you for your response. I've everything configured as you explained.
So the devices working as designed, I'm not concerned about the messages in ACS, the only thing I dislike, is the Prompt on the Client-PC after changing password, that "access is denied" and the User has to type the new PW again. I'm afraid of too many Calls to the Hotline, you understand ;-) ?
So there is no malfunction in this scenario, right?
Karl
06-14-2012 05:35 AM
I think this may relate to following CDETS on AnyConnect
CSCua41458: AC password change: two conversations, 1st is dropped
It is newly opened and do not ye have further analysis / input
06-14-2012 05:57 AM
Thank you,
Version is
anyconnect-win-3.0.07059-k9.pkg
hope it will be fixed soon.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide