Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4832
Views
0
Helpful
2
Replies

Password aging with VPN Client not working

fernandoaguirre
Level 1
Level 1

‎12-15-2009 04:36 PM - edited ‎03-10-2019 04:51 PM

I need to force the Cisco VPN client to change his password on first login. In my setup I have the vpn client username locally created in a Cisco ACS 4.1 Database and we are stablishing the VPN Remote Access tunnel to a ASA5510 version 8.2.

So in ACS I went to password aging rules and clicked the Passsword expires on first login, then I tried to login and connect but then authentication failed with no pop up window to force the customer to change his password. When I see the ACS logs I can see that the password has expired, but I'm never asked to change the password on the vpn client.

I also have the password-management (previously radius-with-expiry) option enabled on the tunnel-group general attributes of the ASA5510.

So how can I enable the user to change his password and show pop-up window for him to change it?

Regards,


Fernando Aguirre

Labels:
0 Helpful
2 Replies 2

Parminder Sian
Level 1
Level 1

‎12-15-2009 11:14 PM

The doc says that it is supported for LDAP only

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml#passexpiry

Hope this helps.

Regards,

Pammi

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎12-19-2009 05:39 AM

Fernando:


Going through your post, I noticed that you have "password-management" enabled under the concern tunnel-group to use password expiry feature for VPN clients.

The command is correct beacuse radius-with-expiry was deprecated from 7.1.1. The password-management command replaces it. The no form of the radius-with-expiry command is no  longer supported.

Since you have user created on cisco ACS  (radius server) this will not work with password aging feature.It will only work if user is on Windows database. The password policy should only be configured on the windows user database.


For VPN users, if we are using radius with expiry/ radius (proxy to AD) and ACS using Active Directory as the back end database, we cannot send any warning messages to the end client about the days remaining for their password to expire. The password expiry will happen through ACS, when the change is required, and it is only at that moment user will be prompted to change the password. But users won’t get the any pre-warning messages.


You have to use windows database if you want to use ACS as a radius server OR you can use direct LDAP database bypassing the ACS. With LDAP, you can also get warning message that password will be expired in N number of days unlike radius.


If we are using ASA/PIX version 7.2 or above and if you want that warming message to appear, then you can try configuring ASA for LDAP authentication rather than RADIUS authentication. And for LDAP authentication, you would be required to configure the firewall appropriately and then make use of password-expiry feature on ASA

Configuring Microsoft Active Directory Settings for Password Management:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wp1166214

Configuring IPSec Remote-Access Connection Profile General Attributes (refer to Step 9):

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wp1133080


Do let me know if you need any further assistance on this.


HTH

JK


Pls rate helpful posts-

~Jatin
0 Helpful
Customers Also Viewed These Support Documents