02-25-2009 06:20 AM
I currently have ASA5505 VPN clients authenticating via local database (which I see as a simple typo machine :)
I'm required to make users change their pwd to comply with complexity and min length, which to my understanding cannot be done directly on ASA
I've setup an IAS which uses RADIUS Standard for the ASA5505 client
now I have 2 groups of users using the same tunnel with the local database:
users who are also domain users -> for those users I assume IAS will solve the problem synching with AD
users who are NOT domain users -> how to apply those rules on these users???
how should I configure the aaa server on ASA and what should I change on the tunnel group in order to make all of this work?
Solved! Go to Solution.
02-26-2009 08:59 AM
Your AAA server should be a radius type with of course the correct settings, key ip and so on. After this change has been done, you need to go into the tunnel group mode (general attributes) and call your AAA server for authentication: authentication-server group
Local will be there only for fallback.
After this change is done, and your IAS connects to the AD correctly you should be able to authenticate. NOTE doing this change on the config, will force all users to have a valid username on the IAS/AD schema, local database will only be used when radius fails.
Now, to define the ability to change the password via the vpn clients, you will need to go ahead and enable "ms-chap v2" under the tunnel-group PPP attributes and at the moment this is done, the Domain field will be displayed on the XAUTH prompt of the vpn client. As well the keyword "password-management" has to be enabled under the general-attributes.
02-26-2009 08:59 AM
Your AAA server should be a radius type with of course the correct settings, key ip and so on. After this change has been done, you need to go into the tunnel group mode (general attributes) and call your AAA server for authentication: authentication-server group
Local will be there only for fallback.
After this change is done, and your IAS connects to the AD correctly you should be able to authenticate. NOTE doing this change on the config, will force all users to have a valid username on the IAS/AD schema, local database will only be used when radius fails.
Now, to define the ability to change the password via the vpn clients, you will need to go ahead and enable "ms-chap v2" under the tunnel-group PPP attributes and at the moment this is done, the Domain field will be displayed on the XAUTH prompt of the vpn client. As well the keyword "password-management" has to be enabled under the general-attributes.
02-26-2009 09:03 AM
thanks.
one follow up question - under these setting is there any way I can have non AD users other then creating a dedicated vpn tunnel that would use the LOCAL db?
and if I do so, can I force them to change pwds every X time (without the complexity but at least changing it)?
02-26-2009 09:14 AM
You can do it by configuring a second tunnel group where local auth is used. You cannot set password change on local DB
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide