Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
33107
Views
5
Helpful
4
Replies

User must change password at next logon with AnyConnect and RADIUS authentication

Go to solution
marh
Level 1
Level 1

‎01-05-2015 02:15 AM

I have a Cisco ASA AnyConnect client with configured Radius Authentication (NPS) with Microsoft AD. It works OK.

Then I add password-management command to the Tunnel-group general-attributes. It still works OK.

But when I check "User must change password at next logon" in AD, and I enter the password in Cisco AnyConnect, I get an error "You have no dial-in permission."

I have checked Dial-in Allow-access and I have MS-CHAP enabled. Debug RADIUS returns me with:

Radius: Type = 2 (0x02) MS-CHAP-Error

 

It all works normal again if I uncheck "User must change password at next logon".

What could be wrong?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ghostinthenet
Level 7
Level 7

‎01-05-2015 05:35 AM

Unfortunately, the ASA doesn't support password changes through RADIUS. Switching to LDAP authentication can resolve your situation, but is a bit more complex. The following document may be helpful:

https://supportforums.cisco.com/document/11934926/password-management-ldap-vs-radius-vpn-users

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ghostinthenet
Level 7
Level 7

‎01-05-2015 05:35 AM

Unfortunately, the ASA doesn't support password changes through RADIUS. Switching to LDAP authentication can resolve your situation, but is a bit more complex. The following document may be helpful:

https://supportforums.cisco.com/document/11934926/password-management-ldap-vs-radius-vpn-users

0 Helpful

Go to solution
marh
Level 1
Level 1
In response to ghostinthenet

‎01-05-2015 11:44 PM

Hello, Jody!

Thanks for your quick response. I will try this with LDAP.

 

Regards

 

0 Helpful

Go to solution
xavicespedesios
Level 1
Level 1
In response to ghostinthenet

‎01-29-2015 10:41 AM

Hi!

Marh is talking about an Active Directory as a backend and mschapv2 tunneled over a radius connection.

ASA supports MS-CHAPv2 password changes over Radius protocol when there's an Active Directory environment and probably with other backends.

Microsoft NPS and IAS allows this changes and Freeradius version 3 too with Active Directory as a backend and Cisco ASA. I have the same environment as Marth working OK with this feature.

Marth:

You probably have a problem with this ldap attribute "msNPAllowDialin" of the Active Directory user you're testing.

You must ensure your NPS is registered in Active Directory and the Active Directory User properties has enabled the following options in Dial-In tab:

Network Access permission = "Allow Access" or "Control Access through NPS policy" checked

This is exactly the msNPAllowDialin ldap attribute from an Active Directory GUI perspective.

 

Also, check NPS logs in the Event Viewer Console of your Microsoft Server. Maybe the reason is as simple as password complexity not being respected.

Regards,

 

 

 

 

 

 

Go to solution
ghostinthenet
Level 7
Level 7
In response to xavicespedesios

‎01-29-2015 10:41 AM

Very cool news!

Up until now, I've been using LDAP on ASA units to handle this properly. Looks like the following document outlines how to handle it on LDAP, RADIUS and TACACS+.

http://www.cisco.com/c/en/us/support/docs/network-management/remote-access/116757-config-asa-remote-00.html

Thanks!

Jody

0 Helpful
Customers Also Viewed These Support Documents