VPN and Windows AD password

Answered Question
Jan 15th, 2008

My employer has implement a AD group policy to force password changes every 3 months. This causes a problem as when a road warrior connects via VPN and then tries to access his email or a network share it does not allow him to as he had already logged into his laptop with his old password and AD only prompts you to change your password on login.

Can anyone tell me how they handle this situation.

Thanks in advance.

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 6 days ago

Open your existing remote access policy. Select "Edit Profile". Select the "Authentication" tab. Check MSCHAP V2 and check "user can change password after it expires".

Also, on the radius client properties for the ASA, the Client-Vendor needs to be Microsoft.

After you've set it all up you can test it by setting a user to must change password at next logon. If you've done it all right, the vpn client will now ask for username, password and domain. You can either enter the domain or leave it blank. The user should then be prompted to enter a new PIN/password.

If it doesn't work, check your event viewer on the ias server under system. Check the IAS events for errors.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
acomiskey Tue, 01/15/2008 - 06:57

What device is terminating the vpn?

It is possible to change your password via the vpn client when it has expired. This is available in pix and asa.

boschrexroth Tue, 01/15/2008 - 08:08

I am using a PIX 515 running IOS 7.1.2.

What I did was force authentication through a IAS radius server which looks to AD to see if the users are a member of a AD group.

I have found people using ASDM. Is this better or can I use it in conjunction with my Radius server?

Thanks.

acomiskey Tue, 01/15/2008 - 08:14

This is the command you are looking for.

password-management

http://cisco.com/en/US/docs/security/asa/asa71/command/reference/p_711.html#wp1643267

Once enabled on the firewall all you have to do is make sure you are allowing mschap v2 in your remote access policy on IAS server.

When the user connects to the vpn and their password has expired, it will prompt them to change their password.

hostname(config)# tunnel-group group-name general-attributes

hostname(config-tunnel-general)# password-management

edit: There is also a checkbox in the remote access policy in IAS to "allow user to change password after it expires"...check it.

boschrexroth Tue, 01/15/2008 - 08:58

Thanks a lot for your help.

Which Policy do I have to create in order to see the "allow user to change password after it expires" check box. I only have a "Date and Time Restriction" and "Windows Group" policies.

Thanks.

Correct Answer
acomiskey Tue, 01/15/2008 - 09:43

Open your existing remote access policy. Select "Edit Profile". Select the "Authentication" tab. Check MSCHAP V2 and check "user can change password after it expires".

Also, on the radius client properties for the ASA, the Client-Vendor needs to be Microsoft.

After you've set it all up you can test it by setting a user to must change password at next logon. If you've done it all right, the vpn client will now ask for username, password and domain. You can either enter the domain or leave it blank. The user should then be prompted to enter a new PIN/password.

If it doesn't work, check your event viewer on the ias server under system. Check the IAS events for errors.

Michael.Tuggle@... Thu, 05/22/2008 - 11:56

I appreciate your posts but I am having an issue with this setup. Once I enable password management I am no longer able to login. I followed all your suggestion, which are great, but is there anything else you can think of to try.

acomiskey Tue, 05/27/2008 - 08:07

Michael,

Need a little more info to help you. Are you using IAS? Have you looked at the logs on the IAS server in the Event Viewer?

Michael.Tuggle@... Wed, 05/28/2008 - 03:38

I appreciate you getting back but the problem has been solved. It seems that IAS was hung an not answering request. I do want to thank you for posting the IAS instructions, they were very helpfule

kbyrd Tue, 07/29/2008 - 07:13

Will this solution also work for the different SSL VPN implementations? I think I see how it might work with AnyConnect, but not sure how it would work with a clientless VPN. My customer wants to set up a clientless VPN solution using AD authentication, however most of the users are not MS office users where they would typically be prompted for password changes. Thanks.

Actions

This Discussion