we are using an AnyConnect VPN infrastructure on ASA5550 with Radius auth via ISE which checks users/groups with the AD. Our users have to change their password on first login with an initial password. Is it sufficient to just use the password-management attribute for the tunnel-group or do I have to make further changes on the ISE?
Thanks in advance!
ASA does not support password management under the following conditions
You can use Radius as authentication but the user should be in an external database like LDAP the password management parameters will be configured on the LDAP server.
Hi Diego, what about using Kerberos? I'm trying to allow users to reset their password (after expiration) through AnyConnect but they get "user not authorized for password change" any idea is highly appreciated.
Kerberos is not supported. The security appliance supports password management for the RADIUS and LDAP protocols. It supports the "password-expire-in-days" option for LDAP only.