Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
765
Views
0
Helpful
6
Replies

Windows Password Change Failure - ACS 3.2 and VPN 3015

jason.scott
Level 1
Level 1

‎10-23-2006 12:25 AM - edited ‎02-21-2020 02:40 PM

Hi all,

I'm having trouble getting password changes to work with Cisco ACS 3.2, VPN 3015 and the Cisco VPN Client. I have some users configured in ACS to authenticate against or Windows Database. This works fine until their passwords expire (every 30 days). They are never presented with a change password request and the logs show 'Windows Change Password failure'.

I believe ACS is setup as specified by the documentation (with MSCHAP enabled etc).

Are there any requirements on the user account or windows side to enable this?

Thanks,

Labels:
0 Helpful
6 Replies 6

m.sir
Level 7
Level 7

‎10-23-2006 03:47 AM

Hi Jason,

maybe User-Changeable Passwords could help you solve yours issue

check following link

http://www.cisco.com/en/US/products/sw/secursw/ps5338/prod_installation_guide09186a00801c2e18.html

M.

Hope that helps rate if it doeas

0 Helpful

thomam04
Level 1
Level 1
In response to m.sir

‎11-13-2006 02:54 AM

Hello,

we are having a similar issue with ACS / AD and an ASA 5540 with SSL-VPN. How can we set a password to expire every 30 days and prompt the user to change it 10 days prior to that. In my view the UCP solution is only useful if a password is not set to expire and the use wants to change it.

Thanks.

-Markus

0 Helpful

jmbazzano
Level 1
Level 1
In response to thomam04

‎01-11-2007 06:17 PM

I am in the same boat as you Markus - only ipsec VPN is more critical for me. I have ACS set up to pass the password expiration, but it does not seem to work.

0 Helpful

thomam04
Level 1
Level 1
In response to jmbazzano

‎01-12-2007 04:44 AM

After some more testing it turns out that UCP (User Changeable Password) only supports the built-in ACS database and no external like LDAP or AD. Hope this will change in future versions.

Regards,

-Markus

0 Helpful

wiluszm
Level 1
Level 1

‎01-12-2007 06:53 AM

We ran into a similar issue. The fix we implemented was to have the VPN client run on start-up on the laptop. The scenario is that the laptop boots up...comes to a Windows login with the VPN client in the bottom left. User authenticates to VPN FIRST, then enters in their AD credentials to the Windows login box. If the password is expiring soon, the already authenticated user is prompted to change their password. Likely not the best fix as the user must login twice but it's how we got around the issue.

-Mike

http://cs-mars.blogspot.com

0 Helpful

Vivek Santuka
Cisco Employee
Cisco Employee
In response to wiluszm

‎01-15-2007 05:00 AM

For password change to work via 3015 and Acs we need the following :-

1. Radius with expiry selected in 3015 Groups

2. In ACS->External Db->Windows Config, we need to select "Allow password change using mschap and mschapv2".

0 Helpful
Customers Also Viewed These Support Documents