Showing results for 
Search instead for 
Did you mean: 

ASA "password-management" command for vpn pasword alerts w/ IAS

Attempting to have users alerted of password expiration via vpn client. Also it is configured to alert users 14 days prior to actual expiration. I have added the "password-management" command for the specific tunnel-group.

I tested and was not alerted of a soon to expire password. The only difference I saw was that a "Domain" text box was given along with the usual username/password in the vpn client.

Using IAS and AD for authentication. Anyone have this working who can help out. thanks.


Update: I am prompted to change my password and am able to change my password after it has expired, but I am not alerted of an upcoming password expiration. For example my domain password expires in 11 days, I am supposed to be alerted the default 14 days before expiration.

Any ideas?

Did you configure the feature when yu were only 11 days behind the expiry date. In that case, it would not work. It will let you change the password but will not notify for the expiration.

Also make sure, "password-expire-in-days" is not set to 0.



My password was due to expire in 11 days. I then set up the password-management command and used the default 14 days. I tested the vpn and was not notified of upcoming expiration. Isn't that the main feature of the command, asside from allowing to change the password? All the documentation says so.


The feature says, if the password-management is not set with the keyword "paswwrd-expire...." it will send the notification to the user 14 days before th eexpiry date.

You configured the feature, when there were only 11 days left for password expiry. Thats why it din't work.

Try the above using "password-expiry..." keyword, and set the time to something lower than 11.

This should work.

*Please rate if helped.


Sorry, maybe I'm not understanding exactly. So if I set it for 5 days, I will only be alerted on the 5th day before expiration. What about the 4th day, 3rd day etc. What if I don't happen to vpn on the 5th day?

No, the notification will start from the 14th day.

But, if you "configure" it, after the 14th day, the feature will not work.

So, if you have configured it on 15 th day, it will start notifying you from the next day and so on.

So, now, you are left with the option of trying "password-expire....." option, cuz 14th day has already passed.



Ah, got it now thanks. I'll give it a shot.


Does anyone know how to eliminate the "Domain" option from the login window after adding "password-management"? Thanks.

No, the domain prompt will be there. You can leave it blank if you do not need it.


I never did figure this out. It still does not warn users of upcoming password expiration.

Does anyone have this working? Does this take any special config in IAS/AD?

I think I found my problem. This option is valid only for LDAP servers, not radius I guess.


(Optional) Indicates that the immediately following parameter specifies the number of days before the current password expires that the security appliance starts warning the user about the pending expiration. This option is valid only for LDAP servers.

I found out the hard way that password-management is required for radius, if you want to use MS-CHAPv2.   This was in the tunnel-group attributes section.   Otherwise, we kept defaulting to PAP.  I only found out by reading a help screen on ASDM.

To close this thread.

Password-management for VPN connection is only supported by two protocols radius and ldap. I'd also like to update you that through RADIUS using Active Directory as the back end database, we can not send any warning messages to the end client about the days remaining for their password to expire. The password expiry will happen through RADIUS, when the change is required, and it is only at that moment user will be prompted to change the password. But users won't get the any pre-warning messages. And if you want that warning message to appear, then you can try configuring ASA for LDAP authentication rather than RADIUS authentication. And that too with LDAP over SSL that can provide warning messages, not plain LDAP. And for LDAP authentication, you would be required to configure the firewall appropriately and then make use of password-expiry feature on ASA.

Command reference guide for password-management command

It supports the "password-expire-in-days" option for LDAP only.

(Please read the usage guidelines)

Please refer to following document,

Configuring LDAP Authentication with Microsoft Active Directory:

Password-management (Refer to Step 9):

In order to configure ASA to communicate over MSCHAPv2 with radius, we should have "password-management" under the tunnel-group. This change would add a new field for the end user to enter the domain-name, however, it's optional. If you leave it blank, it would use the local domain.

Jatin Katyal

**Do rate helpful posts**


Thanks for the follow-up Jatin; most helpful.

Recognize Your Peers
Content for Community-Ad