Showing results for 
Search instead for 
Did you mean: 

Password-management with LDAP vs Radius for VPN users.





    Password-management for vpn users is only supported by two protocols Radius and ldap. Radius password-management for vpn users requires the Radius server to be integrated with an Active Directory MS-AD server as the password management controls are set on the server.

    Supported VPN types

    • IPsec Cisco VPN Client 3.x, 4.x,5,x
    • AnyConnect SSL VPN 2.x, 3.x
    • Clientless SSL VPN

    ASA does not support password management under the following conditions

    • when using LOCAL (internal) authentication
    • when using LDAP authorization
    • when using just RADIUS authentication and when the users reside on the Radius server database.       

    More Information

    Radius using Active Directory as the back end database so we can not send any warning messages to the end client about the days remaining for their password to expire. The password expiry will happen through Radius, when the change is required, and it is only at that moment user will be prompted to change the password. But users won't get the any pre-warning messages.

    In order to configure ASA to communicate over MSCHAPv2 with radius, we should have "password-management" under the tunnel-group. This change would add a new field for the end user to enter the domain-name, however, it's optional. If you leave it blank, it would use the local domain.

    With LDAP, we are using ASA/PIX version 7.2 or above, And if you want that warning message to appear, then you can try configuring ASA for LDAP authentication rather than RADIUS authentication. And too even LDAP over SSL that can provide warning messages, not plain LDAP. And for LDAP authentication, you would be required to configure the firewall appropriately and then make use of password-expiry feature on ASA.

    Why we need secure LDAP 636 for password change in LDAP

    The password is stored in the Active Directory on a user object in the  unicodePwd attribute. This attribute can be written under restricted conditions, but it cannot be read. The attribute can only be modified; it cannot be added on object creation or queried by a search. In order  to modify this attribute, the client must have a 128-bit Secure Socket  Layer (SSL) connection to the server. For this connection to be possible, the server must possess a server certificate for a 128-bit RSA connection, the client must trust the certificate authority (CA) that generated the server certificate, and both client and server must be capable of 128-bit encryption. Please refer to this Microsoft article for details: 

    How To Change a Windows 2000 User's Password Through LDAP

    Command reference guide for password-management command

    It supports the "password-expire-in-days" option for LDAP only. ( Please read the usage guidelines)



    Procedure for Configuring RADIUS Password Management

    • Enable "password-management" in tunnel-group/Connection Profile.

            Note: "password-management password-expire-in-days X" will not work, use just "password-management"

    • Ensure that MSCHAPv1/MSCHAPv2 is enabled on the RADIUS server.
    • Ensure that ACS is integrated with AD.

    Procedure for configuring password change feature for VPN users using LDAP

    If you wish to enable password management for LDAP on a Cisco ASA VPN profile, there are certain requirements to be met.

    • LDAP over SSL must be enabled for the aaa-server group.  Issue the command: ldap-over-ssl enable on the aaa-server host properties.
    • Check that the ASA license supports 3DES-AES in order to do LDAP-S, under "show version".
    • The Login DN (the user used for the Binding operation, sometimes called  the Binding DN) must have Account Operators privileges for password  management changes. Super-user level privileges are not required for the  Login/Bind DN.
    • The domain controller(s) that you are authenticating to must support LDAPS. You can accomplish this by installing Certificate Services on the domain controller and rebooting it. Once that is done, it will accept LDAPS queries.
    • You must enable  password-expire-in-days <# of days> under tunnel-group to notify users that their password will be expiring. If you do not specify that, users will not be notified but will still be able to change their password once it expires.

    Sample Configuration

    aaa-server LDAP-AD protocol ldap
    aaa-server LDAP-AD host <IP-of-Windows-AD>
        server-port 636
        ldap-base-dn <AD base DN>
        ldap-scope subtree
        ldap-naming-attribute sAMAccountName
        ldap-login-dn <login user DN>
        ldap-login-password <password for login user DN>
        ldap-over-ssl enable
        server-type Microsoft
    tunnel-group DefaultWEBVPNGroup type remote-access
    tunnel-group DefaultWEBVPNGroup general-attributes
        authentication-server-group LDAP-AD
        default-group-policy DfltGrpPolicy
        password-management password-expire-in-days <number of days>

    Settings on the LDAP server

    We can create a new user account with password settings "user must change password at next logon" or specific number of days whenever you

    allow users to change their password. Configuring LDAP Authentication with Microsoft Active Directory:

    Additional Information


    Very good doc.

    What about when two factor is used and still need password change with AnyConnect?



    Content for Community-Ad