cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1115
Views
3
Helpful
8
Replies

Integrate AD password renew using ASA and ACS.

g.careaga
Level 1
Level 1

Hello team, I have users that are using VPN Remote Access. They are using to authentication their user and passwords of WindowsDomain accounts. To do this I am using ASA with asa707-k8.bin image, and a ACS 4.1(1) Build 23 Patch (this ACS is integrated with ActiveDirectory).

The problem is that when a user does not use the VPN for a long time the accounts (WindowsDomain user) expire, they can not access any more because of this, and they are not able to renew the credentials (because the credential belong to Active Directory).

So I wonder if there is a way to permit users to renew the credentials via VPN when it expires. Is there some tasks to integrate the request of password change when they are connected via VPN ?

8 Replies 8

Jagdeep Gambhir
Level 10
Level 10

When using a Radius server it will only prompt you to change password once the password is expired or the 'user must change Password' option is checked in AD.

To enable password aging for VPN users we need to have following commands under tunnel general attribute mode,

hostname(config-tunnel-general)# password-management

When you enable password-management on the ASA it basically converts the radius requests to MS-CHAP v2 instead of PAP so that AD can pass down expiry information. All the ASA does is send an authentication request to the Radius server. It's up to the Radius server to notify the ASA that the password is expired and act the go between for the ASA and AD.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wp1166346

Regards,

~JG

Do rate helpful posts

The customer is using ASA 5510, is there some steps to keep in mind ?

Question: the command you mentioned must be executed from inside the tunnel configuracion of remote access or is a global command for all tunels ?

Thankyou so much for your response.

Nothing special , that links covers all configuration steps.

We need to issue that command in each tunnel-group general-attributes.

Regards,

~JG

Do rate helpful posts

Hello, JG, I tried to do this steps, but I do not know if I am forgetting something.

If you see, I tried to execute the command, but it seems that the command is not available, may it be ?

ASA(config)# tunnel-group remoto general-attributes

ASA(config-general)# ?

group_policy configuration commands:

accounting-server-group Enter name of the accounting server group

address-pool Enter a list of address pools to assign addresses from

authentication-server-group Enter name of the authentication server group

authorization-server-group Enter name of the authorization server group

default-group-policy Enter name of the default group policy

dhcp-server Enter IP address or name of the DHCP server

exit Exit from tunnel-group general attribute configuration mode

help Help for tunnel group configuration commands

no Remove an attribute value pair

strip-group Enable strip-group processing

strip-realm Enable strip-realm processing

One more thing, I have read a document that says that in ACS you have to permit password

changes using MS-CHAP version 1 and version 2 (this document was related with a VPN3000 concentrator, but it was an interesting thing). Do you know if I have to do this in this case in particular ?

What is the SW ver we are using? When you enable password-management on the ASA it basically converts the radius requests to MS-CHAP v2 instead of PAP so that AD can pass down expiry information.

So yes ms-chapv2 should be enabled.

Regards,

~JG

Ok, I will enable ms-chap2 en ACS.

Now, if you mean version of IOS of the ASA, is 7.0.(8).

ansalaza
Level 1
Level 1

Something simple, but important to mention is that the ACS should be configured to allow the password change:

External User Databases

Database Configuration

Windows Database

Configure

MS-CHAP Settings

Enable password changes using MS-CHAP version 2.

Hello peaple, reading in the cico's web, i found that this feature "password-management" is include in version 7.1.1.

Here is the link:

http://www.cisco.com/en/US/docs/security/asa/asa71/release/notes/asarn711.html#wp46627

thank a lot.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: