Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1943
Views
0
Helpful
4
Replies

Paasword Management AnyConnect->ASA5510->ACS5.3->ActiveDirectory

Go to solution
gaigl
Level 3
Level 3

‎06-13-2012 11:32 PM - edited ‎03-10-2019 07:11 PM

Hello,

I've got the above listed Szenario.

Now I've tested the PasswordManagement by configuering the User, that he must change the Password at next Logon (did this on the DomainController)

So now when I connect with AnyConnect, I enter the old PW, then I'm forced to change the PW, and next I get the Message: Access denied.

In ACS I see 3 messages:


24407 User authentication against Active Directory failed since user is required to change his password

24463 Internal error in the ACS Active Directory

24408 User authentication against Active Directory failed since user has entered the wrong password

next Time I try to connect with the new PW, i get Access, but it's not very comfortable for the Users.

Is this the usual Behaviour, or is there something wrong?

Thank You!

P.S. Domain Controller is MS Win 2003

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7
In response to gaigl

‎06-14-2012 05:35 AM

I think this may relate to following CDETS on AnyConnect

CSCua41458: AC password change: two conversations, 1st is dropped

It is newly opened and do not ye have further analysis / input

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-14-2012 04:27 AM

Actually, when the option of "force user to change password at next login" is selected in AD, and you do VPN authentication,this will be like password has expired and it has to be changed this time. That's why the ACS report will show "24407 User authentication against Active Directory failed since user is required to change his password".

Since we are using radius so qn the ASA, you have to enable password management for the tunnel-group the

VPN user uses to login:

ASA(config)# tunnel-group  general-attributes
ASA(config-tunnel-general)# password-management

So basically, when you select 'change password at next login' on AD, 'enable password change' on ACS, and enable 'password-management' on ASA, and a user tries to login, the first response sent by the ACS to ASA would be 'access reject'. The ACS report would show '24407 User authentication against Active Directory failed since user is required to change his password'. Immediately after this, the VPN user would get a prompt to change his password. Finally, ACS will send an 'access accept' reply. So, for this request, 2 ACS logs would be created- one for access reject and another for access accept.

Hope this helps.

-Jatin

Do rate helpful posts-

~Jatin
0 Helpful

Go to solution
gaigl
Level 3
Level 3
In response to Jatin Katyal

‎06-14-2012 05:12 AM

Hello Jatin,

thank you for your response. I've everything configured as you explained.

So the devices working as designed, I'm not concerned about the messages in ACS, the only thing I dislike, is the Prompt on the Client-PC after changing password, that "access is denied" and the User has to type the new PW again. I'm afraid of too many Calls to the Hotline, you understand ;-) ?

So there is no malfunction in this scenario, right?

Karl

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to gaigl

‎06-14-2012 05:35 AM

I think this may relate to following CDETS on AnyConnect

CSCua41458: AC password change: two conversations, 1st is dropped

It is newly opened and do not ye have further analysis / input

0 Helpful

Go to solution
gaigl
Level 3
Level 3
In response to jrabinow

‎06-14-2012 05:57 AM

Thank you,

Version is

anyconnect-win-3.0.07059-k9.pkg

hope it will be fixed soon.

0 Helpful
Customers Also Viewed These Support Documents