Password expiration notification

Unanswered Question
Oct 6th, 2008
User Badges:

Hello folks -

We have a large number of people who are using the Cisco VPN client to connect to the corporate network. VPN autentication is being done using a Cisco ACS Server. Protocol being used is TACACS+.

The issue we are running into is that when the Active Directory password expires, users are unable to VPN in.

Is there a way where password notification expiration can be configured using the VPN Client? Under the tunnel group on the ASA, there is a password-management command, but from the reading I have done, it sounds like that command cannot be used with AD.

Any help would be appreciated!!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
andrew.prince@m... Tue, 10/07/2008 - 01:26
User Badges:
  • Green, 3000 points or more

To answer you question - no. The cisco VPN client does not support this.

I had the same issue in a previous comapny - the solutions were:-

1) The employees came into the office once in a while.

2) The AD system sent out reminders

3) They rang a help desk to re-set the password - who could decide if they would change the password, especially if the user DID recevie the notification of the password exipre reminder and ignored it :o)

After a few times, the users soon got the idea not to ignore the emails.


John Blakley Tue, 10/07/2008 - 10:31
User Badges:
  • Purple, 4500 points or more

If you have an ASA and were using RADIUS, you can use the radius-with-expiry under the tunnel-group's ipsec-attributes. This is under the assumption that you have your accounts configured with RADIUS. I can't tell you if it runs with TACACS+ though.


This Discussion