01-22-2016 02:04 AM - edited 02-21-2020 08:38 PM
Hello,
we are using an AnyConnect VPN infrastructure on ASA5550 with Radius auth via ISE which checks users/groups with the AD. Our users have to change their password on first login with an initial password. Is it sufficient to just use the password-management attribute for the tunnel-group or do I have to make further changes on the ISE?
Thanks in advance!
Paul
01-22-2016 03:05 PM
Hello,
ASA does not support password management under the following conditions
You can use Radius as authentication but the user should be in an external database like LDAP the password management parameters will be configured on the LDAP server.
https://supportforums.cisco.com/document/11934926/password-management-ldap-vs-radius-vpn-users
Regards,
02-01-2016 08:13 AM
Hi Diego, what about using Kerberos? I'm trying to allow users to reset their password (after expiration) through AnyConnect but they get "user not authorized for password change" any idea is highly appreciated.
Rolando Valenzuela.
02-01-2016 08:23 AM
Hello,
Kerberos is not supported. The security appliance supports password management for the RADIUS and LDAP protocols. It supports the "password-expire-in-days" option for LDAP only.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide