Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
530
Views
4
Helpful
3
Replies

Remote User VPN Authentication + Password Managment + AD + IAS + RADIUS

najeebsyed2
Level 1
Level 1

‎01-02-2008 09:20 AM

Hello all,

We are attempting to use our ASA to allow our Remote Users to Change their Domain passwords when they attempt to VPN into our Network.

Here are the specs for our enviornment:

Cisco ASA 5505 Version 7.2(2)

VPN Software : 4.8.00.0440

Windows 2003 SP2 Domain Controller: IAS(Radius)

I know there are countless organizations and individuals out there facing the same issue: AAA Services for Remote users.

I have come across several posts and documentation that highlights the pros and cons of using RADIUS and LDAP for AAA services. But I am still having a hard time seeing which is better.

Currently we are using RADIUS to authenticate our users, BUT now we want Remote Users to have Password Managment capabilities, i.e get notified or Password Expiration and the have the ability to Change that Password before it expires.

Is there a single or combination of methods which allows remote users to do this? Also, can this method provide all the AAA services as well? I would appriciate any help. Thank you all in advance.

Labels:
0 Helpful
3 Replies 3

Danilo Dy
VIP Alumni
VIP Alumni

‎01-04-2008 12:07 PM

Hi,

Use the Microsoft IISADMPWD for user to be able to access a internal URL to change their password after they successfully login.

In user AD account General Properties, include user email address. Then use this article http://www.windowsitpro.com/Article/ArticleID/46819/46819.html to configure a script and other services to notify user when his/her password is going to expire. You can fine tune the script, I send email to user 9-6-3 days before their password expires.

I use these two method in a large number of users for ASA SSL VPN, PIX IPSec VPN, and also other MS AD User Account usage in a Widows 2003/AD/IAS environment. You can be more creative by editing the messagfe in the script and URL to make it looks like done by a professional with an expensive commercial utility. For example, in the script to send email to user you can use group email account of people who manage MS AD.

If you need SMPT which can create distribution email account and can be integrated with AD and also use it as iMAP, POP3, use http://www.hmailserver.com

Regards,

Dandy

najeebsyed2
Level 1
Level 1
In response to Danilo Dy

‎01-04-2008 12:20 PM

Hello Medan,

Thanks for this great tip. I appriciate it. This seems to be a great alternate solution, but is there a way to do this using the IAS server and the ASA ? If not, I'll give this method a try. ALL of our users use connect via a IPSec tunnel.

0 Helpful

Danilo Dy
VIP Alumni
VIP Alumni
In response to najeebsyed2

‎01-04-2008 09:11 PM

Hi,

The solution I mentioned should be fine, I been using them for quite some time.

The only thing missing is to prompt the user at the time they login to ASA that their password is expiring. I haven't find the solutiondocumnetation for that as I'm quite busy now. Anyway, even if we have this, you will still need the above, they are a good combination.

I hope Cisco have the knowledgebase for that. If they already have, it's too difficult to find it in their web site :)

Regards,

Dandy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents