Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5197
Views
0
Helpful
5
Replies

VPN Client Password Expiry Issue (ASA & Active Directory)

stephen-phillips
Level 1
Level 1

‎04-16-2010 05:38 AM

VPN Client Password Expiry issue.

ASA 5510 running 8.2(1) image

Cisco VPN Client 5.0.01.0600

Windows Active Directory server 2003

I am currently having issues with the password expiry feature within remote connections authenticating with the Active Directory server.

The Secure LDAP connection is configured and working with user authenticating with Active Directory and getting the correct dynamic policy based on the AD group Membership.

If I set the ‘Users must Change password at next login’ flag on the Active directory user account, the remote user is prompted to enter a new password at the first login as expected. I have entered the ‘Password management’ command on the ASA profile to achieve this, however I was also expecting to get a warning message telling the users ‘Password will expire in n days’ this does not occur.

I have set up an account that has the password due to expire in 12 days, logged into a local windows system to ensure the message is definitely being displayed and the password is set to time out, I have also set ‘password-management password-expire-in-days 14’ (have tried other values) on the ASA. However the ASA log states the password has expired and aborts the connection.

What do I need to do to get this warning message to the end-remote user.

Any assistance is gratefully received.

Cheers

Steve

aaa-server LDAP-RAS-ACCESS protocol ldap

aaa-server LDAP-RAS-ACCESS (inside) host B-ACS-LDAP-SERVER

timeout 5

server-port 636

ldap-base-dn cn=Users,dc=testrig,dc=company,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn cn=administrator,cn=Users,dc=testrig,dc=company,dc=com

ldap-over-ssl enable

server-type microsoft

!

tunnel-group LDAP-RAS-ACCESS type remote-access

tunnel-group LDAP-RAS-ACCESS general-attributes

address-pool RAS-VPN-POOL

authentication-server-group LDAP-RAS-ACCESS

authentication-server-group (inside) LDAP-RAS-ACCESS

accounting-server-group ACS-RAS-ACCESS

strip-realm

password-management password-expire-in-days 13

strip-group

tunnel-group LDAP-RAS-ACCESS ipsec-attributes

pre-shared-key *

tunnel-group LDAP-RAS-ACCESS ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎04-16-2010 05:52 AM

Do you have group-lock configured too? If you do, looks like you are hitting bugID: CSCsy80242:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsy80242

0 Helpful

stephen-phillips
Level 1
Level 1
In response to Jennifer Halim

‎04-16-2010 06:10 AM

Hello

Thanks for the fast response, I am currently using the default group policy and the group-lock is set to none.

group-lock none

Regards

Steve

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to stephen-phillips

‎04-16-2010 06:36 AM

Ok, seems to be this bugID CSCsy52125 - pswd-mgmt w/IPSec Client - pssword expires in X days broken

Unfortunately it's an internal bug, so you can't view it through the bug tool kit. The fix is in ASA version 8.2.1(10).

0 Helpful

stephen-phillips
Level 1
Level 1
In response to Jennifer Halim

‎04-19-2010 12:44 AM

I have upgraded to version 8.2(2) and am still experiencing the same problem.

I have an account with a password expirying in 10 days, if I set the 'Password Management'  on the ASA to anything less than 10 days the user is allowed access, however if I set it to 10 days or more there are no expiry warning messages and the user is denied access, the ASA log shows the password expirying.

5|Apr 19 2010|10:28:06|713904|||||IP = 192.168.20.102, Received encrypted packet with no matching SA, dropping
3|Apr 19 2010|10:28:06|713194|||||Group = LDAP-RAS-ACCESS, Username = me, IP = 192.168.20.102, Sending IKE Delete With Reason message: No Reason Provided.
3|Apr 19 2010|10:28:06|713048|||||Group = LDAP-RAS-ACCESS, Username = me, IP = 192.168.20.102, Error processing payload: Payload ID: 14
6|Apr 19 2010|10:28:06|725007|10.20.10.14|22452|||SSL session with server inside:10.20.10.14/22452 terminated.
6|Apr 19 2010|10:28:06|113005|||||AAA user authentication Rejected : reason = Password is expiring : server = B-ACS-LDAP-SERVER : user = me
6|Apr 19 2010|10:28:06|725002|10.20.10.14|22452|||Device completed SSL handshake with server inside:10.20.10.14/22452
6|Apr 19 2010|10:28:06|725005|10.20.10.14|22452|||SSL server inside:10.20.10.14/22452 requesting our device certificate for authentication.
6|Apr 19 2010|10:28:06|725001|10.20.10.14|22452|||Starting SSL handshake with server inside:10.20.10.14/22452 for TLSv1 session.

Cheers

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to stephen-phillips

‎04-19-2010 12:48 AM

You might want to check with TAC if 8.2.2 has the bug fix.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents