Integrate AD password renew using ASA and ACS.

Unanswered Question
Feb 11th, 2009

Hello team, I have users that are using VPN Remote Access. They are using to authentication their user and passwords of WindowsDomain accounts. To do this I am using ASA with asa707-k8.bin image, and a ACS 4.1(1) Build 23 Patch (this ACS is integrated with ActiveDirectory).

The problem is that when a user does not use the VPN for a long time the accounts (WindowsDomain user) expire, they can not access any more because of this, and they are not able to renew the credentials (because the credential belong to Active Directory).

So I wonder if there is a way to permit users to renew the credentials via VPN when it expires. Is there some tasks to integrate the request of password change when they are connected via VPN ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Jagdeep Gambhir Wed, 02/11/2009 - 08:29

When using a Radius server it will only prompt you to change password once the password is expired or the 'user must change Password' option is checked in AD.

To enable password aging for VPN users we need to have following commands under tunnel general attribute mode,

hostname(config-tunnel-general)# password-management

When you enable password-management on the ASA it basically converts the radius requests to MS-CHAP v2 instead of PAP so that AD can pass down expiry information. All the ASA does is send an authentication request to the Radius server. It's up to the Radius server to notify the ASA that the password is expired and act the go between for the ASA and AD.



Do rate helpful posts

g.careaga Wed, 02/11/2009 - 08:38

The customer is using ASA 5510, is there some steps to keep in mind ?

Question: the command you mentioned must be executed from inside the tunnel configuracion of remote access or is a global command for all tunels ?

Thankyou so much for your response.

Jagdeep Gambhir Wed, 02/11/2009 - 09:05

Nothing special , that links covers all configuration steps.

We need to issue that command in each tunnel-group general-attributes.



Do rate helpful posts

g.careaga Thu, 02/12/2009 - 04:21

Hello, JG, I tried to do this steps, but I do not know if I am forgetting something.

If you see, I tried to execute the command, but it seems that the command is not available, may it be ?

ASA(config)# tunnel-group remoto general-attributes

ASA(config-general)# ?

group_policy configuration commands:

accounting-server-group Enter name of the accounting server group

address-pool Enter a list of address pools to assign addresses from

authentication-server-group Enter name of the authentication server group

authorization-server-group Enter name of the authorization server group

default-group-policy Enter name of the default group policy

dhcp-server Enter IP address or name of the DHCP server

exit Exit from tunnel-group general attribute configuration mode

help Help for tunnel group configuration commands

no Remove an attribute value pair

strip-group Enable strip-group processing

strip-realm Enable strip-realm processing

One more thing, I have read a document that says that in ACS you have to permit password

changes using MS-CHAP version 1 and version 2 (this document was related with a VPN3000 concentrator, but it was an interesting thing). Do you know if I have to do this in this case in particular ?

Jagdeep Gambhir Thu, 02/12/2009 - 05:35

What is the SW ver we are using? When you enable password-management on the ASA it basically converts the radius requests to MS-CHAP v2 instead of PAP so that AD can pass down expiry information.

So yes ms-chapv2 should be enabled.



g.careaga Thu, 02/12/2009 - 05:43

Ok, I will enable ms-chap2 en ACS.

Now, if you mean version of IOS of the ASA, is 7.0.(8).

ansalaza Fri, 02/13/2009 - 09:52

Something simple, but important to mention is that the ACS should be configured to allow the password change:

External User Databases

Database Configuration

Windows Database


MS-CHAP Settings

Enable password changes using MS-CHAP version 2.


This Discussion