ACS 5.x Remote access vpn client TACACS Auth with static IP

masif.rao · ‎09-10-2012

Hi,

I require inputs on following points,

1). Using tacacs is it possible to assign static ips to users? what attribute is used to do so ? AFA i remember This feature is available in radius 'vpnframedipv4' attribute.

2). If using radius authentication, is it possible to get change password prompt for ACS users in case if ACS feature "Change password on next login" selected ?

Thanks,

Tarik Admani · ‎09-10-2012

Hi,

Your best method is to use radius for any vpn related authentication, tacacs is for device administration.

thanks,

Tarik Admani
*Please rate helpful posts*

masif.rao · ‎09-11-2012

Dear Tarik,

Thanks for reply, as per suggestion if I start using radius in that case how users will chagne their passwords ? Is UCP is the only solution in that case ?

Please suggest.

Thanks,

Amjad Abdullah · ‎09-11-2012

Well, I think if you are forcing the users to change the password after it times out you don't need a UCP and they will be prompted for password renewal once they try to auth. However, If you want the users to change the password even though it is not yet timed-out I think you need the UCP.

Check this: http://tiny.cc/u4xgkw

@Tarik Admani: Correct me if I am wrong.

Rating useful replies is more useful than saying "Thank you"

Tarik Admani · ‎09-11-2012

Amjad,

You read my mind, you only need UCP as a workaround for devices and protocols that do not support password change.

Masif,

You can leverage the ASA and if you are using anyconnect ssl vpn client (i am not for sure if the ipsec client can do this) but you can set the "password management" feature on the ASA vpn configuration so that the protocol switches from PAP to mschapv2 (which supports password change). The will work for users on the ACS internal DB and in AD, there were a few bugs for users on the internal db but I think they have been addressed now.

Thanks,

Tarik Admani
*Please rate helpful posts*