Remote User VPN Authentication + Password Managment + AD + IAS + RADIUS

Unanswered Question
Jan 2nd, 2008

Hello all,

We are attempting to use our ASA to allow our Remote Users to Change their Domain passwords when they attempt to VPN into our Network.

Here are the specs for our enviornment:

Cisco ASA 5505 Version 7.2(2)

VPN Software :

Windows 2003 SP2 Domain Controller: IAS(Radius)

I know there are countless organizations and individuals out there facing the same issue: AAA Services for Remote users.

I have come across several posts and documentation that highlights the pros and cons of using RADIUS and LDAP for AAA services. But I am still having a hard time seeing which is better.

Currently we are using RADIUS to authenticate our users, BUT now we want Remote Users to have Password Managment capabilities, i.e get notified or Password Expiration and the have the ability to Change that Password before it expires.

Is there a single or combination of methods which allows remote users to do this? Also, can this method provide all the AAA services as well? I would appriciate any help. Thank you all in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Danilo Dy Fri, 01/04/2008 - 12:07


Use the Microsoft IISADMPWD for user to be able to access a internal URL to change their password after they successfully login.

In user AD account General Properties, include user email address. Then use this article to configure a script and other services to notify user when his/her password is going to expire. You can fine tune the script, I send email to user 9-6-3 days before their password expires.

I use these two method in a large number of users for ASA SSL VPN, PIX IPSec VPN, and also other MS AD User Account usage in a Widows 2003/AD/IAS environment. You can be more creative by editing the messagfe in the script and URL to make it looks like done by a professional with an expensive commercial utility. For example, in the script to send email to user you can use group email account of people who manage MS AD.

If you need SMPT which can create distribution email account and can be integrated with AD and also use it as iMAP, POP3, use



najeebsyed2 Fri, 01/04/2008 - 12:20

Hello Medan,

Thanks for this great tip. I appriciate it. This seems to be a great alternate solution, but is there a way to do this using the IAS server and the ASA ? If not, I'll give this method a try. ALL of our users use connect via a IPSec tunnel.

Danilo Dy Fri, 01/04/2008 - 21:11


The solution I mentioned should be fine, I been using them for quite some time.

The only thing missing is to prompt the user at the time they login to ASA that their password is expiring. I haven't find the solutiondocumnetation for that as I'm quite busy now. Anyway, even if we have this, you will still need the above, they are a good combination.

I hope Cisco have the knowledgebase for that. If they already have, it's too difficult to find it in their web site :)




This Discussion