Showing results for 
Search instead for 
Did you mean: 

Cisco VPN Client Password Changes on ACS 5.3.0

   Dear All ,

                   I have a requirement as per our security standard all VPN user ID must change the password during intial logon

                  I am using cisco VPN client 4.6 .0 anf 5.0.0 suspending my IPSEC VPN on head end ASA 5520 device , authenticating VPN user using ACS 5.3.0 . All the VPN user are created internally on ACS 5.3.0 , i have turned on password management on ASA configuration towards tunnel group and i have enabled MS-CHAPv2 on ACS for password change during intial logon .

       I have created internal user with password change during inital logon and tired connecting to my VPN .Intially it prompt for password change , after changing the password to new password .

          When i am trying to connect , i am seeing strange behaviour VPN client is not able to connect to the peer , VPN client is not responding for few minutes , What should the problem , is there problem VPN client or ACS configuration .

  when i remove this password management from tunnel group , VPN users are able to connect with any issue , but the concern is none them able to change the password , we not have ADS on our network all User ID are created internal on ACS server .

HTH Regards Santhosh Saravanan
Jatin Katyal
Cisco Employee

Could you please share the running configuration from ASA along with the tunnel-group name.

Also, turn on the debugs:

debugs radius

debug aaa authentication

Try again with one of your users whose password is set to "user password must change on next logon"

What kind of radius are we using?

If we have ACS 4.2, get the logs from reports and activity >> failed attempt

If we have CS 5.x , get the logs from logging and monitoring >> catalog >> protocol >> radius authentication

If we have NPS or IAS then get the event viewer logs.

Please include this information in your next reply.



Do rate helpful posts-


Dear Jatin  ,

  Thanks for your response , sorry i was on leave , i could not respond you on time . I have given configuration of my tunnel group , I am using ACS 5.3 as authentication server , all users are internal users on ACS 5.3  .  

tunnel-group AA_ISL_BLR_IND type remote-access

tunnel-group AA_ISL_BLR_IND general-attributes

address-pool VPNLAN

authentication-server-group ISLACS

default-group-policy ISL_IND


HTH Regards Santhosh Saravanan