07-06-2011 04:23 AM
Has any one got a working setup for SSL VPN users in regards to notification about password is going to expire and then providing the VPN user the opportunity to change password during the VPN login process, involving ASA5520 - ACS Radius server - Active Directory
Our VPN users are connecting with Cisco Any Connect VPN Client V.2.5.3046 to a ASA5520 running 8.4(1), all user validation is handled via Radius though a Cisco ACS 5.2 server, which in turn validates the users up against MS Active Directory.
For the relevant connection profile on the ASA, the options Advanced / General/ Password Management / Enable password management has been selected together with the Notify user 14 days prior to password expiration, as mentioned its connecting to a Cisco ACS Radius server with MSCHAPv2 enabled on both the ASA and ACS.
On the ACS server under users and Identity Stores > External Identity Stores > Active Directory we have a successful bind to the AD, the values End User Authentication Settings > Enable password change has been selected.
Just to make sure the password notification function is working in the first place I change the ASA5520 AAA Server group to use LDAP instead of Radius and configured a direct path towards one of our domain controllers, sure enough when the user logged in he got a notification about the password would expire in xx days and then provided with a option to change the password right away or just connect with the current password.
The thing is I don’t want to just use LDAP for VPN authentication, I have quite a expensive setup on the ACS servers with unique ACL's for various group of employees and especially for external consultants, I also use the ACS for customization for webpage and resources when Web VPN is used.
Can it really be so that password expiration notification only works using LDAP, and if this is really the case, is there any way to configure Dual Authentication, so I could first validate the user against LDAP and next against the ACS??
(Side note: I tried to configure the ASA to use LDAP as normal Authentication and then the ACS as Authorization, but it failed, first off because the ASA started to use PAP/ASCII against the ACS and even if I allowed that, it seemed like the ASA wasn’t parsing the users password onwards, with the result that ACS failed and the user account ended up getting locked out in the AD).
Any insight, pointers or help would be greatly appreciated.
Solved! Go to Solution.
07-11-2011 11:05 PM
Hello Rene,
*Correct the "password-expire-in-days" option is for LDAP only.
*If you use double authentication and enable password management in the tunnel group, then the primary and secondary authentication requests include MS-CHAPv2 request attributes.
*Yes you can configure Double Authentication.
http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/webvpn.html#wp1000458
http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1243545
Regards,
07-14-2011 12:47 AM - edited 03-15-2020 04:18 AM
Hi Rene
Gustavo is correct, however please note that with double authentication (or Secondary authentication in ASA/ASDM terminology) the user will be presented with 2 username fields and 2 password fields on the login screen.
The second username field can be hidden (see the config guide, don't know the command off the top of my head) but the user will still have to enter 2 passwords (since this is meant to be used with 2 different auth servers, usually one of them is a one-time-password system).
In your case the 2 passwords will be the same, so you could apply a 'hack' so that the user only has to enter it once: create a customization, enable the Information Panel, and enter the following javascript code in the "Text" field:
<SCRIPT>
// hide the secondary password label ("field") and input field ("input")
obj=document.getElementById("secondary_password_input");
if(obj) {
obj.style.visibility = "hidden";
}
obj=document.getElementById("secondary_password_field");
if(obj) {
obj.style.visibility = "hidden";
}
// create a function to be executed when the submit button is pressed
function CopyPrimaryPasswordToSecondary() {
obj1=document.getElementById('password_input');
obj2=document.getElementById('secondary_password_input');
obj2.value=obj1.value;
obj=document.getElementById('unicorn_form');
obj.onsubmit=submit_orig;
}
// modify the submit button to execute the function above
obj=document.getElementById('unicorn_form');
if(obj) {
submit_orig=obj.onsubmit;
obj.onsubmit= CopyPrimaryPasswordToSecondary;
}
</SCRIPT>
In case you're not familiar with javascript, what this does is:
- hide the secondary password prompt
- when you click the Logon button, it copies the content of the (primary) password field to the (now hidden) secondary password field, then submits the form.
Note that this is not officially supported, e.g. it may break when you upgrade the ASA etc.
Also note that the dual auth will make it seem to your AD that each user logs in twice, with only a few milliseconds in between; I don't expect this to be a problem but I'm not an AD expert.
Also not sure what exactly will happen when there is an actual password change... sorry don't have time to test this right now (and I will be out the next 2 weeks).
hth
Herbert
PS: LDAP authentication with Radius authorization could indeed also be an option, but as you noticed for Radius authorization the ASA does not send the user's password, instead it sends either a common password (that you can configure but is the same for all users), or it sends the username as the password. (Reason for this is that Radius authorization is normally used with certificate authentication so there is no password.)
07-11-2011 11:05 PM
Hello Rene,
*Correct the "password-expire-in-days" option is for LDAP only.
*If you use double authentication and enable password management in the tunnel group, then the primary and secondary authentication requests include MS-CHAPv2 request attributes.
*Yes you can configure Double Authentication.
http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/webvpn.html#wp1000458
http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1243545
Regards,
07-14-2011 12:47 AM - edited 03-15-2020 04:18 AM
Hi Rene
Gustavo is correct, however please note that with double authentication (or Secondary authentication in ASA/ASDM terminology) the user will be presented with 2 username fields and 2 password fields on the login screen.
The second username field can be hidden (see the config guide, don't know the command off the top of my head) but the user will still have to enter 2 passwords (since this is meant to be used with 2 different auth servers, usually one of them is a one-time-password system).
In your case the 2 passwords will be the same, so you could apply a 'hack' so that the user only has to enter it once: create a customization, enable the Information Panel, and enter the following javascript code in the "Text" field:
<SCRIPT>
// hide the secondary password label ("field") and input field ("input")
obj=document.getElementById("secondary_password_input");
if(obj) {
obj.style.visibility = "hidden";
}
obj=document.getElementById("secondary_password_field");
if(obj) {
obj.style.visibility = "hidden";
}
// create a function to be executed when the submit button is pressed
function CopyPrimaryPasswordToSecondary() {
obj1=document.getElementById('password_input');
obj2=document.getElementById('secondary_password_input');
obj2.value=obj1.value;
obj=document.getElementById('unicorn_form');
obj.onsubmit=submit_orig;
}
// modify the submit button to execute the function above
obj=document.getElementById('unicorn_form');
if(obj) {
submit_orig=obj.onsubmit;
obj.onsubmit= CopyPrimaryPasswordToSecondary;
}
</SCRIPT>
In case you're not familiar with javascript, what this does is:
- hide the secondary password prompt
- when you click the Logon button, it copies the content of the (primary) password field to the (now hidden) secondary password field, then submits the form.
Note that this is not officially supported, e.g. it may break when you upgrade the ASA etc.
Also note that the dual auth will make it seem to your AD that each user logs in twice, with only a few milliseconds in between; I don't expect this to be a problem but I'm not an AD expert.
Also not sure what exactly will happen when there is an actual password change... sorry don't have time to test this right now (and I will be out the next 2 weeks).
hth
Herbert
PS: LDAP authentication with Radius authorization could indeed also be an option, but as you noticed for Radius authorization the ASA does not send the user's password, instead it sends either a common password (that you can configure but is the same for all users), or it sends the username as the password. (Reason for this is that Radius authorization is normally used with certificate authentication so there is no password.)
07-14-2011 04:45 AM
Dear Gustavo and Herbert thank you both for taking the time to reply to this issue.
You have both confirmed the initial question that password-expire-in-days" option is for LDAP only and addressed some interesting alternatives to how to work around this.
Time do not allow me to progress on this matter for the next could of weeks, but I will read though your comments and suggestions very carefully to see some or it can be used to obtain the utimate goal.
Thanks for your time, once I get the chance to revisit this issue I will update the case.
Best Regards
René Kirkeby
07-19-2011 03:02 AM
I allowed my own password to expire in the AD to see what would happend when trying to log in via VPN with an account which password is expired.
Once connected the Any Connect Client informed me that the password had expired and provided a dialog to updated, since the overall goal was to provide remote users this ability it seems the current setup will forefill the task.
Maybe I initially confused the fact that if password-expire-in-days notification wasnt working, then it wouldnt work as well once the password actual expired.
Thank you Gustavo and Herbert for the verification of LDAP functionality and providing alternative solutions to this case.
Case closed.
11-01-2018 04:29 AM
Hello,
can you please provide the text for the Java-script referred to?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide