VPN Client Password Expiry issue.
ASA 5510 running 8.2(1) image
Cisco VPN Client 5.0.01.0600
Windows Active Directory server 2003
I am currently having issues with the password expiry feature within remote connections authenticating with the Active Directory server.
The Secure LDAP connection is configured and working with user authenticating with Active Directory and getting the correct dynamic policy based on the AD group Membership.
If I set the ‘Users must Change password at next login’ flag on the Active directory user account, the remote user is prompted to enter a new password at the first login as expected. I have entered the ‘Password management’ command on the ASA profile to achieve this, however I was also expecting to get a warning message telling the users ‘Password will expire in n days’ this does not occur.
I have set up an account that has the password due to expire in 12 days, logged into a local windows system to ensure the message is definitely being displayed and the password is set to time out, I have also set ‘password-management password-expire-in-days 14’ (have tried other values) on the ASA. However the ASA log states the password has expired and aborts the connection.
What do I need to do to get this warning message to the end-remote user.
Any assistance is gratefully received.
aaa-server LDAP-RAS-ACCESS protocol ldap
aaa-server LDAP-RAS-ACCESS (inside) host B-ACS-LDAP-SERVER
tunnel-group LDAP-RAS-ACCESS type remote-access
tunnel-group LDAP-RAS-ACCESS general-attributes
authentication-server-group (inside) LDAP-RAS-ACCESS
password-management password-expire-in-days 13
tunnel-group LDAP-RAS-ACCESS ipsec-attributes
tunnel-group LDAP-RAS-ACCESS ppp-attributes
no authentication chap
no authentication ms-chap-v1
Do you have group-lock configured too? If you do, looks like you are hitting bugID: CSCsy80242:
Thanks for the fast response, I am currently using the default group policy and the group-lock is set to none.
Ok, seems to be this bugID CSCsy52125 - pswd-mgmt w/IPSec Client - pssword expires in X days broken
Unfortunately it's an internal bug, so you can't view it through the bug tool kit. The fix is in ASA version 8.2.1(10).
I have upgraded to version 8.2(2) and am still experiencing the same problem.
I have an account with a password expirying in 10 days, if I set the 'Password Management' on the ASA to anything less than 10 days the user is allowed access, however if I set it to 10 days or more there are no expiry warning messages and the user is denied access, the ASA log shows the password expirying.
5|Apr 19 2010|10:28:06|713904|||||IP = 192.168.20.102, Received encrypted packet with no matching SA, dropping
3|Apr 19 2010|10:28:06|713194|||||Group = LDAP-RAS-ACCESS, Username = me, IP = 192.168.20.102, Sending IKE Delete With Reason message: No Reason Provided.
3|Apr 19 2010|10:28:06|713048|||||Group = LDAP-RAS-ACCESS, Username = me, IP = 192.168.20.102, Error processing payload: Payload ID: 14
6|Apr 19 2010|10:28:06|725007|10.20.10.14|22452|||SSL session with server inside:10.20.10.14/22452 terminated.
6|Apr 19 2010|10:28:06|113005|||||AAA user authentication Rejected : reason = Password is expiring : server = B-ACS-LDAP-SERVER : user = me
6|Apr 19 2010|10:28:06|725002|10.20.10.14|22452|||Device completed SSL handshake with server inside:10.20.10.14/22452
6|Apr 19 2010|10:28:06|725005|10.20.10.14|22452|||SSL server inside:10.20.10.14/22452 requesting our device certificate for authentication.
6|Apr 19 2010|10:28:06|725001|10.20.10.14|22452|||Starting SSL handshake with server inside:10.20.10.14/22452 for TLSv1 session.