How to setup to change password for VPN

Unanswered Question
Aug 21st, 2008
User Badges:

We have ASA 5550, Steel-Belted Radius and Windows 2003 Active Directory. I am trying to setup so that the users can change the password when the password expires. We have over 1000 users.

I setup "password-management password-expire-in-days 14" in ASA. At the VPN client, it prompted for the User Name, Password, and Domain. I typed in the password. Then, it prompted me for a screen for the new password and confirm new password. Then, it prompted back the screen for the user name, password and domain. I typed in the new password and got the error message "413 User authentication failed". How do you setup so that the users can change password before the password expires? Any help is greatly appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
smahbub Wed, 08/27/2008 - 05:47
User Badges:
  • Silver, 250 points or more

To enable password management, use the password-management command in tunnel-group general-attributes configuration mode. To disable password management, use the no form of this command. To reset the number of days to the default value, use the no form of the command with the password-expire-in-days keyword specified.

If you do not specify this command, no password management occurs. If you do not specify the password-expire-in-days keyword, the default length of time to start warning before the current password expires is 14 days.

jjohnson36 Thu, 09/04/2008 - 19:44
User Badges:

Thanks for your response.

If I setup Password-Management and do not specify the password-expire-in-days in ASA, do I need to setup anything in Active Directory so that Active Directory will inform the users that their password will expire in 14 days?


Danilo Dy Wed, 09/03/2008 - 05:36
User Badges:
  • Blue, 1500 points or more

If you want Active Directory users to be notified before their password expires, use this script in Windows 2003 and run it in Task Scheduler everyday. Remember to put the user email address in the Active Directory user account properties. You can amend the script to notify the user 9-6-3 days before their password expires. Be creative and add more info in the email, like the URL created in IISADMPWD so that users will know where to change their password.

If you want Active Directory users to change their password before it expires, search for IISADMPWD in Microsoft Knowledgebase. For security, you can copy the IISADMPWD files outside Windows System Directory and point the IIS home directory there. Make the page available only after the user successfully login to the VPN. You can be creative to amend the IISADMPWD files to provide information to users when they browse the page, like password difficulty, etc.

You need IIS and SMTP.


This Discussion