11-15-2007 06:12 AM
Hi all,
I have a password problem with remote users logging on over VPN.
When their password is about to expire or already have expired they can't login trough the VPN.
They do not get an error or a password change prompt from the VPN client.
Besides this all VPN connections work OK until time for pw change.
Alot of salespersons never get into their offices and this gives a problem since our password policy requires us to change pw every 3'rd month.
The setup is an ASA5510, Version 8.0(2) as VPN concentrator.
ASDM 6.0(2)
VPN-clients are 4.8 and 5.00.
The ASA is comunicating ok with the Radius over MSCHAPv2 for all sessions.
I have activated the ASDM entry "Enable notification upon password expiration..." to 14 days prior to expiration.
The ASA log shows the following when loging on with a password due to expire:
Nov 15 08:08:15 asa01 %ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = <x.x.x.x> : user = <the username>
Nov 15 08:08:16 asa01 %ASA-3-713048: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Error processing payload: Payload ID: 14
Nov 15 08:08:16 asa01 %ASA-3-713194: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Sending IKE Delete With Reason message: No Reason Provided.
Nov 15 08:08:16 asa01 %ASA-3-713902: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Removing peer from peer table failed, no match!
Nov 15 08:08:16 asa01 %ASA-4-713903: Group = X-VPN, Username = <the username>, IP = x.x.x.x, Error: Unable to remove PeerTblEntry
The ASA authenticate users towards a Windows 2003 IAS-RADIUS.
This works ok for all users exept when they need to change password.
The Windows Eventlog gives the following message:
Computer: AUTH01
Description:
User <the username> was denied access.
Fully-Qualified-User-Name = <the username>
NAS-IP-Address = x.x.x.x
NAS-Identifier = <not present>
Called-Station-Identifier = x.x.x.x
Calling-Station-Identifier = x.x.x.x
Client-Friendly-Name = asa01
Client-IP-Address = x.x.x.x
NAS-Port-Type = Virtual
NAS-Port = 67366912
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = VPN Access Policy
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
Reason-Code = 33
Reason = The user must change his or her password.
Any suggestions or better yet if you have a working solution you might present the config?
Regards
//Robert
11-16-2007 05:30 AM
Hi Robert
Unfortunately, this is unsupported. According to the ASA 8.0 command reference, "Password Management is not supported for... Kerberos/Active Directory (Windows Password) or NT4.0 Domain..." however it does go on to suggest that it may be possible to use a RADIUS server such as Cisco ACS to proxy your auth request off to another server, although this configuration is not something I have any experience with personnally. I too would be interested to hear if anyone has had any success with this configuration with respect to receiving expiration notifications.
HTH
Kev
11-19-2007 10:45 AM
You must add the password management command for the tunnel group
tunnel-group
password-management
This will allow your users to be prompted to change their password once their passwords have expired. The "password-expire-in-days" will alert them a certain number of days before it expires, although this works for LDAP servers only, not RADIUS.
Also, since you're using IAS, there is a checkbox which must be selected in the remote access policy on the authentication tab. Select the box for "User can change password after it has expired".
Hope that helps.
11-21-2007 04:10 AM
Hi all,
The issue is solved for us!
It seems like the Cisco VPN-client version 5.0.00.0340, and possible earlier versions, can't handle this password expiry with ASA v 8.0.
Anyhow, when I upgraded to client version 5.0.01.0600 I got the reply I was looking for.
The client prompted me to change pin (Password) when I logged in with an account that had an expired password.
So the trick is:
- Client Version 5.0.01.0600
- tunnel-group
password-management
- IAS supporting MS-CHAP v1 and v2.
I Hope this can help someone more than me.
Reg
//Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide