02-07-2016 07:19 AM - edited 02-21-2020 08:40 PM
Hello,
on Cisco ASA I have AnyConnect vpn with Microsoft AD ldaps authentication. In tunnel group I've configured password-management (password-expire-in-days 14). It works but by my test it seems to be no possible to update password if it is already expired. No way to solve this ?
Thanks
Solved! Go to Solution.
02-10-2016 12:43 PM
Hi Giuseppe,
Yes, the password change should work even when it is expired.
Perhaps you can try placing captures on the user and on the server and make sure that the TCP process is successful when the password is expired.
- Javier -
02-08-2016 03:17 PM
Hi Giuseppe,
This is possible under the following conditions:
If you have any doubt about this you can check the information on the following link:
https://supportforums.cisco.com/document/11934926/password-management-ldap-vs-radius-vpn-users#ASA_does_not_support_password_management_under_the_following_conditions
Regards,
- Javier -
02-10-2016 06:49 AM
Thanks for your answer Javier.
All the conditions are met. Password change works. However password change if password is already expired doesn't work. Should it ?
02-10-2016 12:43 PM
Hi Giuseppe,
Yes, the password change should work even when it is expired.
Perhaps you can try placing captures on the user and on the server and make sure that the TCP process is successful when the password is expired.
- Javier -
02-16-2016 03:40 AM
Sorry Javier, actually change password doesn't work :(.. it keeps warning new password does not meet requirements.
[2889292] Session Start
[2889292] New request Session, context 0x757094ec, reqType = Modify Password
[2889292] Fiber started
[2889292] Creating LDAP context with uri=ldaps://172.31.226.66:636
[2889292] Connect to LDAP server: ldaps://172.31.226.66:636, status = Successful
[2889292] supportedLDAPVersion: value = 3
[2889292] supportedLDAPVersion: value = 2
[2889292] Binding as ciscofw
[2889292] Performing Simple authentication for ciscofw to 172.31.226.66
[2889292] LDAP Search: Base DN = [DC=intra,DC=reg] Filter = [sAMAccountName=test-user] Scope = [SUBTREE]
[2889292] User DN = [CN=Test User,OU=user,DC=intra,DC=reg]
[2889292] Talking to Active Directory server 172.31.226.66
[2889292] Reading password policy for test-user, dn:CN=Test User,OU=user,DC=intra,DC=reg
[2889292] Read bad password count 0
[2889292] Change Password for test-user successfully converted old password to unicode
[2889292] Change Password for test-user successfully converted new password to unicode
[2889292] Fiber exit Tx=764 bytes Rx=3397 bytes, status=-1
[2889292] Session End
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide