Showing results for 
Search instead for 
Did you mean: 

Windows Password Change Failure - ACS 3.2 and VPN 3015


Hi all,

I'm having trouble getting password changes to work with Cisco ACS 3.2, VPN 3015 and the Cisco VPN Client. I have some users configured in ACS to authenticate against or Windows Database. This works fine until their passwords expire (every 30 days). They are never presented with a change password request and the logs show 'Windows Change Password failure'.

I believe ACS is setup as specified by the documentation (with MSCHAP enabled etc).

Are there any requirements on the user account or windows side to enable this?


6 Replies 6

Rising star
Rising star

Hi Jason,

maybe User-Changeable Passwords could help you solve yours issue

check following link


Hope that helps rate if it doeas


we are having a similar issue with ACS / AD and an ASA 5540 with SSL-VPN. How can we set a password to expire every 30 days and prompt the user to change it 10 days prior to that. In my view the UCP solution is only useful if a password is not set to expire and the use wants to change it.



I am in the same boat as you Markus - only ipsec VPN is more critical for me. I have ACS set up to pass the password expiration, but it does not seem to work.

After some more testing it turns out that UCP (User Changeable Password) only supports the built-in ACS database and no external like LDAP or AD. Hope this will change in future versions.




We ran into a similar issue. The fix we implemented was to have the VPN client run on start-up on the laptop. The scenario is that the laptop boots up...comes to a Windows login with the VPN client in the bottom left. User authenticates to VPN FIRST, then enters in their AD credentials to the Windows login box. If the password is expiring soon, the already authenticated user is prompted to change their password. Likely not the best fix as the user must login twice but it's how we got around the issue.


For password change to work via 3015 and Acs we need the following :-

1. Radius with expiry selected in 3015 Groups

2. In ACS->External Db->Windows Config, we need to select "Allow password change using mschap and mschapv2".

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers