ASA "password-management" command for vpn pasword alerts w/ IAS

acomiskey · ‎03-02-2007

Attempting to have users alerted of password expiration via vpn client. Also it is configured to alert users 14 days prior to actual expiration. I have added the "password-management" command for the specific tunnel-group.

I tested and was not alerted of a soon to expire password. The only difference I saw was that a "Domain" text box was given along with the usual username/password in the vpn client.

Using IAS and AD for authentication. Anyone have this working who can help out. thanks.

acomiskey · ‎03-02-2007

Update: I am prompted to change my password and am able to change my password after it has expired, but I am not alerted of an upcoming password expiration. For example my domain password expires in 11 days, I am supposed to be alerted the default 14 days before expiration.

Any ideas?

kaachary · ‎03-03-2007

Did you configure the feature when yu were only 11 days behind the expiry date. In that case, it would not work. It will let you change the password but will not notify for the expiration.

Also make sure, "password-expire-in-days" is not set to 0.

HTH,

-Kanishka

acomiskey · ‎03-04-2007

My password was due to expire in 11 days. I then set up the password-management command and used the default 14 days. I tested the vpn and was not notified of upcoming expiration. Isn't that the main feature of the command, asside from allowing to change the password? All the documentation says so.

kaachary · ‎03-05-2007

Hi,

The feature says, if the password-management is not set with the keyword "paswwrd-expire...." it will send the notification to the user 14 days before th eexpiry date.

You configured the feature, when there were only 11 days left for password expiry. Thats why it din't work.

Try the above using "password-expiry..." keyword, and set the time to something lower than 11.

This should work.

*Please rate if helped.

-Kanishka

acomiskey · ‎03-05-2007

Sorry, maybe I'm not understanding exactly. So if I set it for 5 days, I will only be alerted on the 5th day before expiration. What about the 4th day, 3rd day etc. What if I don't happen to vpn on the 5th day?

kaachary · ‎03-05-2007

No, the notification will start from the 14th day.

But, if you "configure" it, after the 14th day, the feature will not work.

So, if you have configured it on 15 th day, it will start notifying you from the next day and so on.

So, now, you are left with the option of trying "password-expire....." option, cuz 14th day has already passed.

HTH,

-Kanishka

acomiskey · ‎03-05-2007

Ah, got it now thanks. I'll give it a shot.

mitcheaves · ‎10-03-2007

Does anyone know how to eliminate the "Domain" option from the login window after adding "password-management"? Thanks.

mmitesha · ‎10-03-2007

No, the domain prompt will be there. You can leave it blank if you do not need it.

Mitesh

acomiskey · ‎11-14-2007

I never did figure this out. It still does not warn users of upcoming password expiration.

Does anyone have this working? Does this take any special config in IAS/AD?

acomiskey · ‎11-14-2007

I think I found my problem. This option is valid only for LDAP servers, not radius I guess.

"password-expire-in-days"

(Optional) Indicates that the immediately following parameter specifies the number of days before the current password expires that the security appliance starts warning the user about the pending expiration. This option is valid only for LDAP servers.

jimmyc_2 · ‎09-15-2013

I found out the hard way that password-management is required for radius, if you want to use MS-CHAPv2. This was in the tunnel-group attributes section. Otherwise, we kept defaulting to PAP. I only found out by reading a help screen on ASDM.

Jatin Katyal · ‎09-15-2013

To close this thread.

Password-management for VPN connection is only supported by two protocols radius and ldap. I'd also like to update you that through RADIUS using Active Directory as the back end database, we can not send any warning messages to the end client about the days remaining for their password to expire. The password expiry will happen through RADIUS, when the change is required, and it is only at that moment user will be prompted to change the password. But users won't get the any pre-warning messages. And if you want that warning message to appear, then you can try configuring ASA for LDAP authentication rather than RADIUS authentication. And that too with LDAP over SSL that can provide warning messages, not plain LDAP. And for LDAP authentication, you would be required to configure the firewall appropriately and then make use of password-expiry feature on ASA.

Command reference guide for password-management command

It supports the "password-expire-in-days" option for LDAP only.

(Please read the usage guidelines)

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1879916

Please refer to following document,

Configuring LDAP Authentication with Microsoft Active Directory:

http://tools.cisco.com/squish/81752

Password-management (Refer to Step 9):

http://tools.cisco.com/squish/Be87D

In order to configure ASA to communicate over MSCHAPv2 with radius, we should have "password-management" under the tunnel-group. This change would add a new field for the end user to enter the domain-name, however, it's optional. If you leave it blank, it would use the local domain.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

jimmyc_2 · ‎09-16-2013

Thanks for the follow-up Jatin; most helpful.