Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
849
Views
0
Helpful
0
Replies

Password change via VPN (IPSec/L2TP), Radius backend fails with error 628

interojne
Level 1
Level 1

‎05-13-2016 10:16 AM - edited ‎02-21-2020 08:49 PM

Hello everybody,

we are having a VPN using a Cisco ASA 5505 and IPSec/L2TP. AAA Servers are RADIUS servers with user db in Active Directory.

Now if a user password is expired, the user connecting from a Windows machine is presented for 1-2 seconds the password change option before the connection breaks down with error 628.

The configuration of the tunnel group has "password-management" enabled as suggested in the documentation.

The debug log for radius and AAA shows:

RADIUS packet decode (response)

Parsed packet data.....
Radius: Code = 3 (0x03)
Radius: Identifier = 51 (0x33)
Radius: Length = 96 (0x0060)
Radius: Vector: 5686C096E4D8EDBC93DD742A3DF10DEF
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 76 (0x4C)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 2 (0x02) MS-CHAP-Error
Radius: Length = 70 (0x46)
Radius: Value (String) =
01 45 3d 36 34 38 20 52 3d 31 20 43 3d 64 35 30    |  .E=648 R=1 C=d50
36 37 36 63 36 63 62 31 63 39 65 65 34 30 64 31    |  676c6cb1c9ee40d1
64 61 39 31 30 37 33 34 32 38 39 61 35 20 56 3d    |  da910734289a5 V=
33 20 4d 3d 50 61 73 73 77 6f 72 64 20 65 78 70    |  3 M=Password exp
69 72 65 64                                        |  ired
rad_procpkt: REJECT
callback_aaa_task: status = -1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 1282, pAcb = 0xcc812d54
AAA task: aaa_process_msg(0xc85a8d18) received message type 1
AAA FSM: In AAA_ProcSvrResp

Back End response:
------------------
Authentication Status: -1 (REJECT)

AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
AAA_NextFunction: authen svr = <MyRadiusGroup>, author svr = <MyRadiusGroup>, user pol = , tunn pol = DefaultRAGroup
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:
  1     MS-CHAP-Error(8194)     68    "[01]E=648 R=1 C=d50676c6cb1c9ee40d1da910734289a5 V=3 "
  2     Password change server type(20487)      4    1
  3     Password change username(20488)      7    "<myuser>"
  4     Password change password(20489)      0    0xcd07332d   ** Unresolved Attribute **

Auth Status = REJECT
AAA API: In aaa_close
AAA task: aaa_process_msg(0xc85a8d18) received message type 3
In aaai_close_session (1282)
RADIUS_DELETE

How would I get rid of this error and enable proper password change via VPN?

Thanks a lot for any help, much appreciated.

Best regards,

Johannes

2 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Top