Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1848
Views
0
Helpful
2
Replies

Cisco VPN Client Password Changes on ACS 5.3.0

sansarav720e
Level 1
Level 1

‎06-02-2012 11:07 AM

   Dear All ,

                   I have a requirement as per our security standard all VPN user ID must change the password during intial logon

                  I am using cisco VPN client 4.6 .0 anf 5.0.0 suspending my IPSEC VPN on head end ASA 5520 device , authenticating VPN user using ACS 5.3.0 . All the VPN user are created internally on ACS 5.3.0 , i have turned on password management on ASA configuration towards tunnel group and i have enabled MS-CHAPv2 on ACS for password change during intial logon .

       I have created internal user with password change during inital logon and tired connecting to my VPN .Intially it prompt for password change , after changing the password to new password .

          When i am trying to connect , i am seeing strange behaviour VPN client is not able to connect to the peer , VPN client is not responding for few minutes , What should the problem , is there problem VPN client or ACS configuration .

  when i remove this password management from tunnel group , VPN users are able to connect with any issue , but the concern is none them able to change the password , we not have ADS on our network all User ID are created internal on ACS server .

HTH Regards Santhosh Saravanan
Labels:
0 Helpful
2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-06-2012 07:21 PM

Could you please share the running configuration from ASA along with the tunnel-group name.

Also, turn on the debugs:

debugs radius

debug aaa authentication

Try again with one of your users whose password is set to "user password must change on next logon"

What kind of radius are we using?

If we have ACS 4.2, get the logs from reports and activity >> failed attempt

If we have CS 5.x , get the logs from logging and monitoring >> catalog >> protocol >> radius authentication

If we have NPS or IAS then get the event viewer logs.

Please include this information in your next reply.

Regards,

Jatin

Do rate helpful posts-

~Jatin
0 Helpful

sansarav720e
Level 1
Level 1
In response to Jatin Katyal

‎06-13-2012 10:30 AM

Dear Jatin  ,

  Thanks for your response , sorry i was on leave , i could not respond you on time . I have given configuration of my tunnel group , I am using ACS 5.3 as authentication server , all users are internal users on ACS 5.3  .  

tunnel-group AA_ISL_BLR_IND type remote-access

tunnel-group AA_ISL_BLR_IND general-attributes

address-pool VPNLAN

authentication-server-group ISLACS

default-group-policy ISL_IND

password-management

HTH Regards Santhosh Saravanan
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents