VPN users get no 'change password' request from RADIUS

Unanswered Question
Nov 15th, 2007

Hi all,

I have a password problem with remote users logging on over VPN.

When their password is about to expire or already have expired they can't login trough the VPN.

They do not get an error or a password change prompt from the VPN client.

Besides this all VPN connections work OK until time for pw change.

Alot of salespersons never get into their offices and this gives a problem since our password policy requires us to change pw every 3'rd month.

The setup is an ASA5510, Version 8.0(2) as VPN concentrator.

ASDM 6.0(2)

VPN-clients are 4.8 and 5.00.

The ASA is comunicating ok with the Radius over MSCHAPv2 for all sessions.

I have activated the ASDM entry "Enable notification upon password expiration..." to 14 days prior to expiration.

The ASA log shows the following when loging on with a password due to expire:

Nov 15 08:08:15 asa01 %ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = <x.x.x.x> : user = <the username>

Nov 15 08:08:16 asa01 %ASA-3-713048: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Error processing payload: Payload ID: 14

Nov 15 08:08:16 asa01 %ASA-3-713194: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Sending IKE Delete With Reason message: No Reason Provided.

Nov 15 08:08:16 asa01 %ASA-3-713902: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Removing peer from peer table failed, no match!

Nov 15 08:08:16 asa01 %ASA-4-713903: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Error: Unable to remove PeerTblEntry

The ASA authenticate users towards a Windows 2003 IAS-RADIUS.

This works ok for all users exept when they need to change password.

The Windows Eventlog gives the following message:

Computer: AUTH01

Description:

User <the username> was denied access.

Fully-Qualified-User-Name = <the username>

NAS-IP-Address = x.x.x.x

NAS-Identifier = <not present>

Called-Station-Identifier = x.x.x.x

Calling-Station-Identifier = x.x.x.x

Client-Friendly-Name = asa01

Client-IP-Address = x.x.x.x

NAS-Port-Type = Virtual

NAS-Port = 67366912

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = VPN Access Policy

Authentication-Type = MS-CHAPv2

EAP-Type = <undetermined>

Reason-Code = 33

Reason = The user must change his or her password.

Any suggestions or better yet if you have a working solution you might present the config?

Regards

//Robert

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kagodfrey Fri, 11/16/2007 - 05:30

Hi Robert

Unfortunately, this is unsupported. According to the ASA 8.0 command reference, "Password Management is not supported for... Kerberos/Active Directory (Windows Password) or NT4.0 Domain..." however it does go on to suggest that it may be possible to use a RADIUS server such as Cisco ACS to proxy your auth request off to another server, although this configuration is not something I have any experience with personnally. I too would be interested to hear if anyone has had any success with this configuration with respect to receiving expiration notifications.

HTH

Kev

acomiskey Mon, 11/19/2007 - 10:45

You must add the password management command for the tunnel group

tunnel-group general-attributes

password-management

This will allow your users to be prompted to change their password once their passwords have expired. The "password-expire-in-days" will alert them a certain number of days before it expires, although this works for LDAP servers only, not RADIUS.

Also, since you're using IAS, there is a checkbox which must be selected in the remote access policy on the authentication tab. Select the box for "User can change password after it has expired".

Hope that helps.

jag_robert Wed, 11/21/2007 - 04:10

Hi all,

The issue is solved for us!

It seems like the Cisco VPN-client version 5.0.00.0340, and possible earlier versions, can't handle this password expiry with ASA v 8.0.

Anyhow, when I upgraded to client version 5.0.01.0600 I got the reply I was looking for.

The client prompted me to change pin (Password) when I logged in with an account that had an expired password.

So the trick is:

- Client Version 5.0.01.0600

- tunnel-group general-attributes

password-management

- IAS supporting MS-CHAP v1 and v2.

I Hope this can help someone more than me.

Reg

//Robert

Actions

This Discussion