Introduction
Password-management for vpn users is only supported by two protocols Radius and ldap. Radius password-management for vpn users requires the Radius server to be integrated with an Active Directory MS-AD server as the password management controls are set on the server.
Supported VPN types
- IPsec Cisco VPN Client 3.x, 4.x,5,x
- AnyConnect SSL VPN 2.x, 3.x
- Clientless SSL VPN
ASA does not support password management under the following conditions
- when using LOCAL (internal) authentication
- when using LDAP authorization
- when using just RADIUS authentication and when the users reside on the Radius server database.
More Information
Radius using Active Directory as the back end database so we can not send any warning messages to the end client about the days remaining for their password to expire. The password expiry will happen through Radius, when the change is required, and it is only at that moment user will be prompted to change the password. But users won't get the any pre-warning messages.
In order to configure ASA to communicate over MSCHAPv2 with radius, we should have "password-management" under the tunnel-group. This change would add a new field for the end user to enter the domain-name, however, it's optional. If you leave it blank, it would use the local domain.
With LDAP, we are using ASA/PIX version 7.2 or above, And if you want that warning message to appear, then you can try configuring ASA for LDAP authentication rather than RADIUS authentication. And too even LDAP over SSL that can provide warning messages, not plain LDAP. And for LDAP authentication, you would be required to configure the firewall appropriately and then make use of password-expiry feature on ASA.
Why we need secure LDAP 636 for password change in LDAP
The password is stored in the Active Directory on a user object in the unicodePwd attribute. This attribute can be written under restricted conditions, but it cannot be read. The attribute can only be modified; it cannot be added on object creation or queried by a search. In order to modify this attribute, the client must have a 128-bit Secure Socket Layer (SSL) connection to the server. For this connection to be possible, the server must possess a server certificate for a 128-bit RSA connection, the client must trust the certificate authority (CA) that generated the server certificate, and both client and server must be capable of 128-bit encryption. Please refer to this Microsoft article for details:
How To Change a Windows 2000 User's Password Through LDAP
Command reference guide for password-management command
It supports the "password-expire-in-days" option for LDAP only. ( Please read the usage guidelines)
password-management
Requirements
Procedure for Configuring RADIUS Password Management
- Enable "password-management" in tunnel-group/Connection Profile.
Note: "password-management password-expire-in-days X" will not work, use just "password-management"
- Ensure that MSCHAPv1/MSCHAPv2 is enabled on the RADIUS server.
- Ensure that ACS is integrated with AD.
Procedure for configuring password change feature for VPN users using LDAP
If you wish to enable password management for LDAP on a Cisco ASA VPN profile, there are certain requirements to be met.
- LDAP over SSL must be enabled for the aaa-server group. Issue the command: ldap-over-ssl enable on the aaa-server host properties.
- Check that the ASA license supports 3DES-AES in order to do LDAP-S, under "show version".
- The Login DN (the user used for the Binding operation, sometimes called the Binding DN) must have Account Operators privileges for password management changes. Super-user level privileges are not required for the Login/Bind DN.
- The domain controller(s) that you are authenticating to must support LDAPS. You can accomplish this by installing Certificate Services on the domain controller and rebooting it. Once that is done, it will accept LDAPS queries.
- You must enable password-expire-in-days <# of days> under tunnel-group to notify users that their password will be expiring. If you do not specify that, users will not be notified but will still be able to change their password once it expires.
Sample Configuration
aaa-server LDAP-AD protocol ldap
aaa-server LDAP-AD host <IP-of-Windows-AD>
server-port 636
ldap-base-dn <AD base DN>
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-dn <login user DN>
ldap-login-password <password for login user DN>
ldap-over-ssl enable
server-type Microsoft
!
!
!
tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP-AD
default-group-policy DfltGrpPolicy
password-management password-expire-in-days <number of days>Settings on the LDAP server
We can create a new user account with password settings "user must change password at next logon" or specific number of days whenever you
allow users to change their password. Configuring LDAP Authentication with Microsoft Active Directory: http://tools.cisco.com/squish/81752
Additional Information
