cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
163
Views
0
Helpful
3
Replies
Highlighted
Beginner

Passwort Manamgement with AnyConnect, ISE and AD

Hello,

we are using an AnyConnect VPN infrastructure on ASA5550 with Radius auth via ISE which checks users/groups with the AD. Our users have to change their password on first login with an initial password. Is it sufficient to just use the password-management attribute for the tunnel-group or do I have to make further changes on the ISE?

Thanks in advance!

Paul

3 REPLIES 3
Highlighted
Beginner

Hello,

Hello,

ASA does not support password management under the following conditions

  • when using LOCAL (internal) authentication
  • when using LDAP authorization
  • when using just RADIUS authentication and when the users reside on the Radius server database.       

You can use Radius as authentication but the user should be in an external database like LDAP the password management parameters will be configured on the LDAP server.

https://supportforums.cisco.com/document/11934926/password-management-ldap-vs-radius-vpn-users

Regards,

Highlighted

Hi Diego, what about using

Hi Diego, what about using Kerberos? I'm trying to allow users to reset their password (after expiration) through AnyConnect but they get "user not authorized for password change" any idea is highly appreciated.

Rolando Valenzuela.

Beginner

Hello,

Hello,

Kerberos is not supported. The security appliance supports password management for the RADIUS and LDAP protocols. It supports the "password-expire-in-days" option for LDAP only.

Regards,