Hello,

Paul Stange · ‎01-22-2016

Hello,

we are using an AnyConnect VPN infrastructure on ASA5550 with Radius auth via ISE which checks users/groups with the AD. Our users have to change their password on first login with an initial password. Is it sufficient to just use the password-management attribute for the tunnel-group or do I have to make further changes on the ISE?

Thanks in advance!

Paul

Diego Lopez · ‎01-22-2016

Hello,

ASA does not support password management under the following conditions

when using LOCAL (internal) authentication
when using LDAP authorization
when using just RADIUS authentication and when the users reside on the Radius server database.

You can use Radius as authentication but the user should be in an external database like LDAP the password management parameters will be configured on the LDAP server.

https://supportforums.cisco.com/document/11934926/password-management-ldap-vs-radius-vpn-users

Regards,

Rolando Valenzuela · ‎02-01-2016

Hi Diego, what about using Kerberos? I'm trying to allow users to reset their password (after expiration) through AnyConnect but they get "user not authorized for password change" any idea is highly appreciated.

Rolando Valenzuela.

Diego Lopez · ‎02-01-2016

Hello,

Kerberos is not supported. The security appliance supports password management for the RADIUS and LDAP protocols. It supports the "password-expire-in-days" option for LDAP only.

Regards,

Passwort Manamgement with AnyConnect, ISE and AD