Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
5
Helpful
1
Replies

ACS 3.3 Authenticating VPN users on ASA5500

griffijo
Level 1
Level 1

‎10-25-2007 01:45 PM - edited ‎03-10-2019 03:28 PM

I am currently migrating VPN services from a Cisco 3015 concentrator to our new ASA 5540's using ACS 3.3 (appliance) for authentication. I have created a group on the ACS and added some test users and all works well. The next thing I wanted to do was to assign users and force them to change their passwords upon the first successful login. When I check "apply password change rule" under the "password aging rules" of the ACS group properties, I fail to get a prompt asking me to change the password and the ACS sets the user account to expired after the first login. Thank you for your help.

Labels:
0 Helpful
1 Reply 1

Premdeep Banga
Level 7
Level 7

‎10-25-2007 03:22 PM

From the description, it seems like that you are using local ACS database.

You can check the variety of Password change that ACS can support,

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/user/guide/g.html#wp16647

Basically there are four types,

First two are only applicable, when we have user in Windows Database.

Third one is only applicable if we have user in local database, but we are using Tacacs+ as the authentication protocol.

And the last one says,

"Password Aging for Transit Sessions-Users must be in the CiscoSecure user database. Users must use a PPP dialup client. Further, the end-user client must have CiscoSecure Authentication Agent (CAA) installed."

From my experience, there has been only one/two instances out of ten where I have seen this kind of setup working, when we have installed CAA and Cisco VPN Client together, and user is on local ACS database, to get it to work.

And this was in the case when Cu were using ACS 3.3.x and some lower version of VPN Client.

But if you have user on Window database, it works like a charm, using password management command on ASA,

hostname(config)# tunnel-group general-attributes

hostname(config-tunnel-general)# password-management

CAA is on installation/Upgrade CD of ACS SE.

Summarizing, I am not sure if this will work using local database of ACS.

Other solution that you can look into is UCP.

A utility that is used for changing password for local users on ACS database.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/3.3/installation/guide/passwords/ucp_1.html

Again, UCP is not that flexible, i.e., you cannot change password through this utility, if password has already been expired etc.

HTH

Prem

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents