radius using windows 2003 IAS and cisco asa 5510 8.2

donnie · ‎02-17-2011

Hi all,

I have successfully setup radius using win2003 IAS and cisco asa 5510 running asa version 8.2. My vpn client is 5.0.07

For the user account on my win2003 IAS, i enable the option "user must change password" but when i try connecting i was not prompted to change password but the window kept popping up again for me to key in username and password. If i disable the option "user must change password" i can login successfully. I would like to have the option to change password. What may i have missed out? Pls advise. Thks in advance.

Jennifer Halim · ‎02-17-2011

Have you enabled password-management as follows:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/p.html#wp1924502

donnie · ‎02-17-2011

Hi Jennifer,

Thk you for your prompt response. Understand that this works only with LDAP. However i am not using LDAP. My user accounts are found on my standalone IAS server running win2003. Below is my config. After i enable password-management i was prompted for username/password/domain. I tried the correct username and password with domain specifying my server name, the login window pop up again and when i login again with the domain field empty, the authentication still fail to go through. Hence is it possible to enable password expiry or allow my user to change password via the vpn login without using LDAP? Thk you very much!

tunnel-group test type remote-access
tunnel-group test general-attributes
address-pool VPN_pool
authentication-server-group RADIUS
default-group-policy VPN
password-management password-expire-in-days 90
tunnel-group test ipsec-attributes
pre-shared-key xxxxx

aaa-server RADIUS protocol radius
aaa-server RADIUS host testsvr
key xxxxx
radius-common-pw xxxxx

Jennifer Halim · ‎02-18-2011

Only the "password-management password-expire-in-days" command is supported via LDAP, however, the "password-management" feature by itself is supported on both Radius and LDAP protocols. So you might want to remove the "password-expire-in-days" keywords of the command since it is not supported on Radius.

So within your tunnel-group configuration, just configure the following:

tunnel-group test general-attributes

password-management

Also, as per the doc shared earlier, your Radius server needs to be using MS-CHAPv2 for the password management feature to work.

donnie · ‎02-21-2011

Hi Jennifer,

apologies for delay in reply.

Below is my setup. If i remove password-management from the tunnel group it works. However if password-management is there, i can't authenticate through even though i key in the correct password. It just kept prompting me to rekey my password. I was prompted to key in username/password and domain. Keying in the domain as my server name or leave it blank does not help. Pls advise.

tunnel-group test type remote-access
tunnel-group test general-attributes
address-pool VPN_pool
authentication-server-group RADIUS
default-group-policy test
password-management
tunnel-group test ipsec-attributes
pre-shared-key test

donnie · ‎02-21-2011

Hi Jennifer,

even though i specify only password-management in my tunnel group, in my asdm i can still see "notify user 14 days prior to password expiration" being enabled. Is this normal?