I have a password problem with remote users logging on over VPN.
When their password is about to expire or already have expired they can't login trough the VPN.
They do not get an error or a password change prompt from the VPN client.
Besides this all VPN connections work OK until time for pw change.
Alot of salespersons never get into their offices and this gives a problem since our password policy requires us to change pw every 3'rd month.
The setup is an ASA5510, Version 8.0(2) as VPN concentrator.
VPN-clients are 4.8 and 5.00.
The ASA is comunicating ok with the Radius over MSCHAPv2 for all sessions.
I have activated the ASDM entry "Enable notification upon password expiration..." to 14 days prior to expiration.
The ASA log shows the following when loging on with a password due to expire:
Nov 15 08:08:15 asa01 %ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = <x.x.x.x> : user = <the username>
Nov 15 08:08:16 asa01 %ASA-3-713048: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Error processing payload: Payload ID: 14
Nov 15 08:08:16 asa01 %ASA-3-713194: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Sending IKE Delete With Reason message: No Reason Provided.
Nov 15 08:08:16 asa01 %ASA-3-713902: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Removing peer from peer table failed, no match!
Nov 15 08:08:16 asa01 %ASA-4-713903: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Error: Unable to remove PeerTblEntry
The ASA authenticate users towards a Windows 2003 IAS-RADIUS.
This works ok for all users exept when they need to change password.
The Windows Eventlog gives the following message:
User <the username> was denied access.
Fully-Qualified-User-Name = <the username>
NAS-IP-Address = x.x.x.x
NAS-Identifier = <not present>
Called-Station-Identifier = x.x.x.x
Calling-Station-Identifier = x.x.x.x
Client-Friendly-Name = asa01
Client-IP-Address = x.x.x.x
NAS-Port-Type = Virtual
NAS-Port = 67366912
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = VPN Access Policy
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
Reason-Code = 33
Reason = The user must change his or her password.
Any suggestions or better yet if you have a working solution you might present the config?