PW change through VPN

toc · ‎09-11-2014

Hello,

we have an ASA 5505 /w Security Plus license + RADIUS Server/NPS for VPN User authentication that has been configured and is running well (native Win VPN client)

But now we noticed that when the Win pword expires and you want to change it through VPN connection it is not working. The prompt for the change comes and after you hit enter the connection breaks after a period of time saying "Error 628: connection terminated by remote computer before it could be completed" and the password is not changed...

Log on ASA:

IP = x.x.x.x, Received encrypted packet with no matching SA, dropping
Group = DefaultRAGroup, Username = , IP = x.x.x.x, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:40s, Bytes xmt: 0, Bytes rcv: 264, Reason: User Requested
Group = DefaultRAGroup, IP = x.x.x.x, Session is being torn down. Reason: User Requested
Group = DefaultRAGroup, IP = x.x.x.x, Connection terminated for peer . Reason: Peer Terminate Remote Proxy x.x.x.x, Local Proxy y.y.y.y

I have not canceled anything because of the User Requested...

Maybe someone can help me, I also could post the configuration if necessary.

Thank you and BR

Dinesh Moudgil · ‎09-12-2014

Hi,

Please make sure the password-management is configured on the ASA for the specific tunnel-group.
This document should help you in understanding password change feature and the configuration that is needed on the ASA .

https://supportforums.cisco.com/document/11934926/password-management-ldap-vs-radius-vpn-users#ASA_does_not_support_password_management_under_the_following_conditions

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

toc · ‎09-15-2014

Hello Dinesh,

thank you for your reply. Password Management is already enabled on this tunnel group (DefaultRAGroup)

As in the link you posted, radius should support password change with AD backend (like we have). The notification feature is not that important for us but the pw change doesnt work. VPN works great but when the pw has to be changed the connection drops somehow.

The link you mentioned is mostly about LDAP what we cant/dont want to use.

ASA Version is 9.0(3).

BR

Dinesh Moudgil · ‎09-15-2014

Hi ,

Along with password management, you must confirm that you have MSCHAPv1/MSCHAPv2 enabled on the RADIUS server.
If this does not help, debugs will help in confirming at what step the connection is failing.
debug radius 255
debug aaa
debg aaa common 255

To confirm that VPN is working as expected , you might wish to see "debug webvpn svc/anyconnect 255" along with aaa debugs.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

toc · ‎09-19-2014

Hi,

MSCHAPv2 is enabled on the server, also the setting for changing the password if it has expired.

The debug commands did not help me much, i can't make out whats the problem...

AAA session opened: handle = 398
AAA API: In aaa_process_async
aaa_process_async: sending AAA_MSG_PROCESS
AAA task: aaa_process_msg(0xc7855480) received message type 0
AAA FSM: In AAA_StartAAATransaction
AAA FSM: In AAA_InitTransaction

Initiating authentication to primary server (Svr Grp: RadiusServer)
------------------------------------------------
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server: 192.168.0.203
AAA FSM: In AAA_SendMsg
User: test
Resp:
callback_aaa_task: status = -1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 398, pAcb = 0xcb685b18
aaa_backend_callback: Error:
AAA task: aaa_process_msg(0xc7855480) received message type 1
AAA FSM: In AAA_ProcSvrResp

Back End response:
------------------
Authentication Status: -1 (REJECT)

AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
AAA_NextFunction: authen svr = RadiusServer, author svr = <none>, user pol = , tunn pol = DfltGrpPolicy
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:
1     MS-CHAP-Error(8194)     14    "[00]E=648 R=0 V=3"
2     Password change server type(20487)      4    1
3     Password change username(20488)      4    "test"
4     Password change password(20489)      0    0xcbc2c574   ** Unresolved Attribute **

user policy attributes:
None

tunnel policy attributes:
None

Auth Status = REJECT
AAA API: In aaa_close
AAA task: aaa_process_msg(0xc7855480) received message type 3
In aaai_close_session (398)
AAA API: In aaa_open
AAA session opened: handle = 399
AAA API: In aaa_process_async
aaa_process_async: sending AAA_MSG_PROCESS
AAA task: aaa_process_msg(0xc7855480) received message type 0
AAA FSM: In AAA_StartAAATransaction
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(DfltGrpPolicy)
Got server ID 0 for group policy DB

Initiating tunnel group policy lookup (Svr Grp: GROUP_POLICY_DB)
------------------------------------------------
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server: <Internal Server>
AAA FSM: In AAA_SendMsg
User: DfltGrpPolicy
Resp:
grp_policy_ioctl(0x0ac8f5a0, 114698, 0xc78549e8)
grp_policy_ioctl: Looking up DfltGrpPolicy
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 399, pAcb = 0xcb685b18
AAA task: aaa_process_msg(0xc7855480) received message type 1
AAA FSM: In AAA_ProcSvrResp

Back End response:
------------------
Tunnel Group Policy Status: 1 (ACCEPT)

AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_TUNN_GRP_POLICY, auth_status = ACCEPT
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:
1 User-Name(1) 14 "DefaultRAGroup"
2 User-Password(2) 0 0xcc13bf1b ** Unresolved Attribute **

user policy attributes:
None

We are using the windows integrated vpn client, and VPN connection works fine, only the pw change....

Marcin Szatkowski · ‎08-22-2016

Hi,

Did you get to the bottom of this issue by any chance ? I'm experiencing exactly the same problem.

Best regards,