Anyconnect VPN users not reminded of password expiration

azharbutt · ‎05-21-2013

Hi,

We have remote VPN users who log into our network using their AD credentials, when the password is expiring (although reminder is enabled in VPN profile), they are not getting the reminders. What could be causing this while using Radius?

Gustavo Medina · ‎05-21-2013

Azhar,

The tunnel group setting "password-management password-expire-in-days X" is used with LDAP only and "password-management" is for RADIUS, since it only supports "MUST change password"

Jatin Katyal · ‎05-21-2013

Hello Azhar,

Password-management is only supported by two protocols Radius and LDAP.

With radius, we can not send any warning messages to the end client about the days remaining for their password to expire. The password expiry will happen through radius, when the change is required, and it is only at that moment user will be prompted to change the password. But users won't get the any pre-warning messages. And if you want that warning message to appear, then you can try configuring ASA with LDAP authentication rather than RADIUS authentication. And that too with LDAP over SSL that can provide warning messages, not plain LDAP. And for LDAP authentication, you would be required to configure the firewall appropriately and then make use of password-expiry feature on ASA.

Command reference guide for password-management command. It supports the "password-expire-in-days" option for LDAP only. (Please read the usage guidelines)

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/p.html#wp2130949

Please refer to following document,

Configuring LDAP Authentication with Microsoft Active Directory:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1572118

Password-management (Refer to Step 9):

http://tools.cisco.com/squish/Be87D

Jatin Katyal

- Do rate helpful posts -

~Jatin