01-05-2015 02:15 AM
I have a Cisco ASA AnyConnect client with configured Radius Authentication (NPS) with Microsoft AD. It works OK.
Then I add password-management command to the Tunnel-group general-attributes. It still works OK.
But when I check "User must change password at next logon" in AD, and I enter the password in Cisco AnyConnect, I get an error "You have no dial-in permission."
I have checked Dial-in Allow-access and I have MS-CHAP enabled. Debug RADIUS returns me with:
Radius: Type = 2 (0x02) MS-CHAP-Error
It all works normal again if I uncheck "User must change password at next logon".
What could be wrong?
Solved! Go to Solution.
01-05-2015 05:35 AM
Unfortunately, the ASA doesn't support password changes through RADIUS. Switching to LDAP authentication can resolve your situation, but is a bit more complex. The following document may be helpful:
https://supportforums.cisco.com/document/11934926/password-management-ldap-vs-radius-vpn-users
01-05-2015 05:35 AM
Unfortunately, the ASA doesn't support password changes through RADIUS. Switching to LDAP authentication can resolve your situation, but is a bit more complex. The following document may be helpful:
https://supportforums.cisco.com/document/11934926/password-management-ldap-vs-radius-vpn-users
01-05-2015 11:44 PM
Hello, Jody!
Thanks for your quick response. I will try this with LDAP.
Regards
01-29-2015 10:41 AM
Hi!
Marh is talking about an Active Directory as a backend and mschapv2 tunneled over a radius connection.
ASA supports MS-CHAPv2 password changes over Radius protocol when there's an Active Directory environment and probably with other backends.
Microsoft NPS and IAS allows this changes and Freeradius version 3 too with Active Directory as a backend and Cisco ASA. I have the same environment as Marth working OK with this feature.
Marth:
You probably have a problem with this ldap attribute "msNPAllowDialin" of the Active Directory user you're testing.
You must ensure your NPS is registered in Active Directory and the Active Directory User properties has enabled the following options in Dial-In tab:
Network Access permission = "Allow Access" or "Control Access through NPS policy" checked
This is exactly the msNPAllowDialin ldap attribute from an Active Directory GUI perspective.
Also, check NPS logs in the Event Viewer Console of your Microsoft Server. Maybe the reason is as simple as password complexity not being respected.
Regards,
01-29-2015 10:41 AM
Very cool news!
Up until now, I've been using LDAP on ASA units to handle this properly. Looks like the following document outlines how to handle it on LDAP, RADIUS and TACACS+.
Thanks!
Jody
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide