VPN users get no 'change password' request from RADIUS

Unanswered Question
Nov 15th, 2007
User Badges:

Hi all,

I have a password problem with remote users logging on over VPN.

When their password is about to expire or already have expired they can't login trough the VPN.

They do not get an error or a password change prompt from the VPN client.

Besides this all VPN connections work OK until time for pw change.

Alot of salespersons never get into their offices and this gives a problem since our password policy requires us to change pw every 3'rd month.

The setup is an ASA5510, Version 8.0(2) as VPN concentrator.

ASDM 6.0(2)

VPN-clients are 4.8 and 5.00.

The ASA is comunicating ok with the Radius over MSCHAPv2 for all sessions.

I have activated the ASDM entry "Enable notification upon password expiration..." to 14 days prior to expiration.

The ASA log shows the following when loging on with a password due to expire:

Nov 15 08:08:15 asa01 %ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = <x.x.x.x> : user = <the username>

Nov 15 08:08:16 asa01 %ASA-3-713048: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Error processing payload: Payload ID: 14

Nov 15 08:08:16 asa01 %ASA-3-713194: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Sending IKE Delete With Reason message: No Reason Provided.

Nov 15 08:08:16 asa01 %ASA-3-713902: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Removing peer from peer table failed, no match!

Nov 15 08:08:16 asa01 %ASA-4-713903: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Error: Unable to remove PeerTblEntry

The ASA authenticate users towards a Windows 2003 IAS-RADIUS.

This works ok for all users exept when they need to change password.

The Windows Eventlog gives the following message:

Computer: AUTH01


User <the username> was denied access.

Fully-Qualified-User-Name = <the username>

NAS-IP-Address = x.x.x.x

NAS-Identifier = <not present>

Called-Station-Identifier = x.x.x.x

Calling-Station-Identifier = x.x.x.x

Client-Friendly-Name = asa01

Client-IP-Address = x.x.x.x

NAS-Port-Type = Virtual

NAS-Port = 67366912

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = VPN Access Policy

Authentication-Type = MS-CHAPv2

EAP-Type = <undetermined>

Reason-Code = 33

Reason = The user must change his or her password.

Any suggestions or better yet if you have a working solution you might present the config?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kagodfrey Fri, 11/16/2007 - 05:30
User Badges:

Hi Robert

Unfortunately, this is unsupported. According to the ASA 8.0 command reference, "Password Management is not supported for... Kerberos/Active Directory (Windows Password) or NT4.0 Domain..." however it does go on to suggest that it may be possible to use a RADIUS server such as Cisco ACS to proxy your auth request off to another server, although this configuration is not something I have any experience with personnally. I too would be interested to hear if anyone has had any success with this configuration with respect to receiving expiration notifications.



acomiskey Mon, 11/19/2007 - 10:45
User Badges:
  • Green, 3000 points or more

You must add the password management command for the tunnel group

tunnel-group general-attributes


This will allow your users to be prompted to change their password once their passwords have expired. The "password-expire-in-days" will alert them a certain number of days before it expires, although this works for LDAP servers only, not RADIUS.

Also, since you're using IAS, there is a checkbox which must be selected in the remote access policy on the authentication tab. Select the box for "User can change password after it has expired".

Hope that helps.

jag_robert Wed, 11/21/2007 - 04:10
User Badges:

Hi all,

The issue is solved for us!

It seems like the Cisco VPN-client version, and possible earlier versions, can't handle this password expiry with ASA v 8.0.

Anyhow, when I upgraded to client version I got the reply I was looking for.

The client prompted me to change pin (Password) when I logged in with an account that had an expired password.

So the trick is:

- Client Version

- tunnel-group general-attributes


- IAS supporting MS-CHAP v1 and v2.

I Hope this can help someone more than me.




This Discussion