ACS 3.3 Authenticating VPN users on ASA5500

Unanswered Question

I am currently migrating VPN services from a Cisco 3015 concentrator to our new ASA 5540's using ACS 3.3 (appliance) for authentication. I have created a group on the ACS and added some test users and all works well. The next thing I wanted to do was to assign users and force them to change their passwords upon the first successful login. When I check "apply password change rule" under the "password aging rules" of the ACS group properties, I fail to get a prompt asking me to change the password and the ACS sets the user account to expired after the first login. Thank you for your help.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Premdeep Banga Thu, 10/25/2007 - 15:22

From the description, it seems like that you are using local ACS database.

You can check the variety of Password change that ACS can support,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/user/guide/g.html#wp16647

Basically there are four types,

First two are only applicable, when we have user in Windows Database.

Third one is only applicable if we have user in local database, but we are using Tacacs+ as the authentication protocol.

And the last one says,

"Password Aging for Transit Sessions-Users must be in the CiscoSecure user database. Users must use a PPP dialup client. Further, the end-user client must have CiscoSecure Authentication Agent (CAA) installed."

From my experience, there has been only one/two instances out of ten where I have seen this kind of setup working, when we have installed CAA and Cisco VPN Client together, and user is on local ACS database, to get it to work.

And this was in the case when Cu were using ACS 3.3.x and some lower version of VPN Client.

But if you have user on Window database, it works like a charm, using password management command on ASA,

hostname(config)# tunnel-group general-attributes

hostname(config-tunnel-general)# password-management

CAA is on installation/Upgrade CD of ACS SE.

Summarizing, I am not sure if this will work using local database of ACS.

Other solution that you can look into is UCP.

A utility that is used for changing password for local users on ACS database.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/installation/guide/passwords/ucp_1.html

Again, UCP is not that flexible, i.e., you cannot change password through this utility, if password has already been expired etc.

HTH

Prem

Actions

This Discussion