Solved: Thanks for your answer Javier

giuseppe parlato · ‎02-07-2016

Hello,

on Cisco ASA I have AnyConnect vpn with Microsoft AD ldaps authentication. In tunnel group I've configured password-management (password-expire-in-days 14). It works but by my test it seems to be no possible to update password if it is already expired. No way to solve this ?

Thanks

carlguer · ‎02-10-2016

Hi Giuseppe,

Yes, the password change should work even when it is expired.

Perhaps you can try placing captures on the user and on the server and make sure that the TCP process is successful when the password is expired.

- Javier -

View solution in original post

carlguer · ‎02-08-2016

Hi Giuseppe,

This is possible under the following conditions:

LDAP over SSL must be enabled for the aaa-server group. Issue the command: ldap-over-ssl enable on the aaa-server host properties.
Check that the ASA license supports 3DES-AES in order to do LDAP-S, under "show version".
The Login DN (the user used for the Binding operation, sometimes called the Binding DN) must have Account Operators privileges for password management changes. Super-user level privileges are not required for the Login/Bind DN.
The domain controller(s) that you are authenticating to must support LDAPS. You can accomplish this by installing Certificate Services on the domain controller and rebooting it. Once that is done, it will accept LDAPS queries.
You must enable password-expire-in-days <# of days> under tunnel-group to notify users that their password will be expiring. If you do not specify that, users will not be notified but will still be able to change their password once it expires.

If you have any doubt about this you can check the information on the following link:

https://supportforums.cisco.com/document/11934926/password-management-ldap-vs-radius-vpn-users#ASA_does_not_support_password_management_under_the_following_conditions

Regards,

- Javier -

giuseppe parlato · ‎02-10-2016

Thanks for your answer Javier.

All the conditions are met. Password change works. However password change if password is already expired doesn't work. Should it ?

carlguer · ‎02-10-2016

Hi Giuseppe,

Yes, the password change should work even when it is expired.

Perhaps you can try placing captures on the user and on the server and make sure that the TCP process is successful when the password is expired.

- Javier -

giuseppe parlato · ‎02-16-2016

Sorry Javier, actually change password doesn't work :(.. it keeps warning new password does not meet requirements.

[2889292] Session Start
[2889292] New request Session, context 0x757094ec, reqType = Modify Password
[2889292] Fiber started
[2889292] Creating LDAP context with uri=ldaps://172.31.226.66:636
[2889292] Connect to LDAP server: ldaps://172.31.226.66:636, status = Successful
[2889292] supportedLDAPVersion: value = 3
[2889292] supportedLDAPVersion: value = 2
[2889292] Binding as ciscofw
[2889292] Performing Simple authentication for ciscofw to 172.31.226.66
[2889292] LDAP Search: Base DN = [DC=intra,DC=reg] Filter = [sAMAccountName=test-user] Scope = [SUBTREE]
[2889292] User DN = [CN=Test User,OU=user,DC=intra,DC=reg]
[2889292] Talking to Active Directory server 172.31.226.66
[2889292] Reading password policy for test-user, dn:CN=Test User,OU=user,DC=intra,DC=reg
[2889292] Read bad password count 0
[2889292] Change Password for test-user successfully converted old password to unicode
[2889292] Change Password for test-user successfully converted new password to unicode
[2889292] Fiber exit Tx=764 bytes Rx=3397 bytes, status=-1
[2889292] Session End

VPN Anyconnect password-management if password is already expired