Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11816
Views
15
Helpful
11
Replies

VPN and Windows AD password

Go to solution
boschrexroth
Level 1
Level 1

‎01-15-2008 06:16 AM - edited ‎02-21-2020 01:51 AM

My employer has implement a AD group policy to force password changes every 3 months. This causes a problem as when a road warrior connects via VPN and then tries to access his email or a network share it does not allow him to as he had already logged into his laptop with his old password and AD only prompts you to change your password on login.

Can anyone tell me how they handle this situation.

Thanks in advance.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10
In response to boschrexroth

‎01-15-2008 09:43 AM

Open your existing remote access policy. Select "Edit Profile". Select the "Authentication" tab. Check MSCHAP V2 and check "user can change password after it expires".

Also, on the radius client properties for the ASA, the Client-Vendor needs to be Microsoft.

After you've set it all up you can test it by setting a user to must change password at next logon. If you've done it all right, the vpn client will now ask for username, password and domain. You can either enter the domain or leave it blank. The user should then be prompted to enter a new PIN/password.

If it doesn't work, check your event viewer on the ias server under system. Check the IAS events for errors.

View solution in original post

11 Replies 11

Go to solution
acomiskey
Level 10
Level 10

‎01-15-2008 06:57 AM

What device is terminating the vpn?

It is possible to change your password via the vpn client when it has expired. This is available in pix and asa.

0 Helpful

Go to solution
boschrexroth
Level 1
Level 1
In response to acomiskey

‎01-15-2008 08:08 AM

I am using a PIX 515 running IOS 7.1.2.

What I did was force authentication through a IAS radius server which looks to AD to see if the users are a member of a AD group.

I have found people using ASDM. Is this better or can I use it in conjunction with my Radius server?

Thanks.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to boschrexroth

‎01-15-2008 08:14 AM

This is the command you are looking for.

password-management

http://cisco.com/en/US/docs/security/asa/asa71/command/reference/p_711.html#wp1643267

Once enabled on the firewall all you have to do is make sure you are allowing mschap v2 in your remote access policy on IAS server.

When the user connects to the vpn and their password has expired, it will prompt them to change their password.

hostname(config)# tunnel-group group-name general-attributes

hostname(config-tunnel-general)# password-management

edit: There is also a checkbox in the remote access policy in IAS to "allow user to change password after it expires"...check it.

Go to solution
boschrexroth
Level 1
Level 1
In response to acomiskey

‎01-15-2008 08:58 AM

Thanks a lot for your help.

Which Policy do I have to create in order to see the "allow user to change password after it expires" check box. I only have a "Date and Time Restriction" and "Windows Group" policies.

Thanks.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to boschrexroth

‎01-15-2008 09:43 AM

Open your existing remote access policy. Select "Edit Profile". Select the "Authentication" tab. Check MSCHAP V2 and check "user can change password after it expires".

Also, on the radius client properties for the ASA, the Client-Vendor needs to be Microsoft.

After you've set it all up you can test it by setting a user to must change password at next logon. If you've done it all right, the vpn client will now ask for username, password and domain. You can either enter the domain or leave it blank. The user should then be prompted to enter a new PIN/password.

If it doesn't work, check your event viewer on the ias server under system. Check the IAS events for errors.

Go to solution
boschrexroth
Level 1
Level 1
In response to acomiskey

‎01-15-2008 10:41 AM

Thanks acomiskey, that worked.

You are a great asset to this forum.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to boschrexroth

‎01-15-2008 10:44 AM

Good deal! Glad it worked.

0 Helpful

Go to solution
Michael.Tuggle
Level 1
Level 1
In response to acomiskey

‎05-22-2008 11:56 AM

I appreciate your posts but I am having an issue with this setup. Once I enable password management I am no longer able to login. I followed all your suggestion, which are great, but is there anything else you can think of to try.

0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to Michael.Tuggle

‎05-27-2008 08:07 AM

Michael,

Need a little more info to help you. Are you using IAS? Have you looked at the logs on the IAS server in the Event Viewer?

0 Helpful

Go to solution
Michael.Tuggle
Level 1
Level 1
In response to acomiskey

‎05-28-2008 03:38 AM

I appreciate you getting back but the problem has been solved. It seems that IAS was hung an not answering request. I do want to thank you for posting the IAS instructions, they were very helpfule

0 Helpful

Go to solution
kbyrd
Level 2
Level 2
In response to acomiskey

‎07-29-2008 07:13 AM

Will this solution also work for the different SSL VPN implementations? I think I see how it might work with AnyConnect, but not sure how it would work with a clientless VPN. My customer wants to set up a clientless VPN solution using AD authentication, however most of the users are not MS office users where they would typically be prompted for password changes. Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card