Password-management for vpn users is only supported by two protocols Radius and ldap. Radius password-management for vpn users requires the Radius server to be integrated with an Active Directory MS-AD server as the password management controls are set on the server.
Supported VPN types
IPsec Cisco VPN Client 3.x, 4.x,5,x
AnyConnect SSL VPN 2.x, 3.x
Clientless SSL VPN
ASA does not support password management under the following conditions
when using LOCAL (internal) authentication
when using LDAP authorization
when using just RADIUS authentication and when the users reside on the Radius server database.
Radius using Active Directory as the back end database so we can not send any warning messages to the end client about the days remaining for their password to expire. The password expiry will happen through Radius, when the change is required, and it is only at that moment user will be prompted to change the password. But users won't get the any pre-warning messages.
In order to configure ASA to communicate over MSCHAPv2 with radius, we should have "password-management" under the tunnel-group. This change would add a new field for the end user to enter the domain-name, however, it's optional. If you leave it blank, it would use the local domain.
With LDAP, we are using ASA/PIX version 7.2 or above, And if you want that warning message to appear, then you can try configuring ASA for LDAP authentication rather than RADIUS authentication. And too even LDAP over SSL that can provide warning messages, not plain LDAP. And for LDAP authentication, you would be required to configure the firewall appropriately and then make use of password-expiry feature on ASA.
Why we need secure LDAP 636 for password change in LDAP
The password is stored in the Active Directory on a user object in the unicodePwd attribute. This attribute can be written under restricted conditions, but it cannot be read. The attribute can only be modified; it cannot be added on object creation or queried by a search. In order to modify this attribute, the client must have a 128-bit Secure Socket Layer (SSL) connection to the server. For this connection to be possible, the server must possess a server certificate for a 128-bit RSA connection, the client must trust the certificate authority (CA) that generated the server certificate, and both client and server must be capable of 128-bit encryption. Please refer to this Microsoft article for details:
Procedure for Configuring RADIUS Password Management
Enable "password-management" in tunnel-group/Connection Profile.
Note: "password-management password-expire-in-days X" will not work, use just "password-management"
Ensure that MSCHAPv1/MSCHAPv2 is enabled on the RADIUS server.
Ensure that ACS is integrated with AD.
Procedure for configuring password change feature for VPN users using LDAP
If you wish to enable password management for LDAP on a Cisco ASA VPN profile, there are certain requirements to be met.
LDAP over SSL must be enabled for the aaa-server group. Issue the command: ldap-over-ssl enable on the aaa-server host properties.
Check that the ASA license supports 3DES-AES in order to do LDAP-S, under "show version".
The Login DN (the user used for the Binding operation, sometimes called the Binding DN) must have Account Operators privileges for password management changes. Super-user level privileges are not required for the Login/Bind DN.
The domain controller(s) that you are authenticating to must support LDAPS. You can accomplish this by installing Certificate Services on the domain controller and rebooting it. Once that is done, it will accept LDAPS queries.
You must enable password-expire-in-days <# of days> under tunnel-group to notify users that their password will be expiring. If you do not specify that, users will not be notified but will still be able to change their password once it expires.
aaa-server LDAP-AD protocol ldap
aaa-server LDAP-AD host <IP-of-Windows-AD>
ldap-base-dn <AD base DN>
ldap-login-dn <login user DN>
ldap-login-password <password for login user DN>
tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
password-management password-expire-in-days <number of days>
Settings on the LDAP server
We can create a new user account with password settings "user must change password at next logon" or specific number of days whenever you
Hi AllI have just ONE Ldap authenticantion in connection do VPN AnyConnectionSo Tried to find some option to use 2 Two LDAP (HA) just in case one fail I have secondary.I didn't find option secondary tunnel-group TUNNEL_VPN general-attributesadd...
Hello all,I have a vpn between my branch and main office. From the branch I can reach the main office and the devices there.I would like the branch site to hit the main sites asa and then use it for the internet breakout. I just want it for a few internet...
It appears there is no way to set AMP to automatically update the client software connectors. Do I have that right? We have a relatively small deployment of 25 machines and no dedicated IT department. We need the security software to stay...
We have a Dictionary setup with all of our Executives on it to protect us from receiving emails from people pretending to be our executives and this works great. I was wondering if it would be possible to do something like this with all users in our GAL? ...