After Enabling Cisco Anyconnect to allow changing expired Windows passwords, only works with non-DUO...

performance · ‎10-05-2020

Hello All,

I recently enabled changing expired passwords while connecting via Cisco Anyconnect using ASDM via this process: Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Connection Profile > Select the one for AnyConnect > Edit > Advanced > General > Password Management > Enable Password Management > Select to notify user the amount of days before his/her password expires > OK > Apply > File > Save running configuration to flash.

I did so for both our non-DUO enabled connection profile, and our DUO-enabled connection profile. When testing, it allowed us to successfully change expired Windows passwords when logging on with non-DUO enabled accounts. However, for DUO-enabled accounts, if a user attempts to log in and with Windows account is expired it just redirects users back to the sign-on screen instead of prompting them to change their password. Is there any extra considerations or configuration changes I need to make in order to get password change due to password expiry to work with DUO-enabled accounts?

Sincerely,

Scott B.

Mohammed al Baqari · ‎10-05-2020

Hi,

I am assuming that DUO is your second authentication after successful LDAP
authentication. In this case, DUO won't kick in to change expired password
using anyconnect. There is nothing to be done at DUO side for this
deployment.

Can you make sure that you are matching the right connection profile for
DUO users with the right advanced settings for password management. Also,
run 'debug ldap 127' on ASA to see what is happening for DUO users.

***** please remember to rate useful posts

After Enabling Cisco Anyconnect to allow changing expired Windows passwords, only works with non-DUO enabled accounts