I currently have ASA5505 VPN clients authenticating via local database (which I see as a simple typo machine :)
I'm required to make users change their pwd to comply with complexity and min length, which to my understanding cannot be done directly on ASA
I've setup an IAS which uses RADIUS Standard for the ASA5505 client
now I have 2 groups of users using the same tunnel with the local database:
users who are also domain users -> for those users I assume IAS will solve the problem synching with AD
users who are NOT domain users -> how to apply those rules on these users???
how should I configure the aaa server on ASA and what should I change on the tunnel group in order to make all of this work?
Your AAA server should be a radius type with of course the correct settings, key ip and so on. After this change has been done, you need to go into the tunnel group mode (general attributes) and call your AAA server for authentication: authentication-server group LOCAL
Local will be there only for fallback.
After this change is done, and your IAS connects to the AD correctly you should be able to authenticate. NOTE doing this change on the config, will force all users to have a valid username on the IAS/AD schema, local database will only be used when radius fails.
Now, to define the ability to change the password via the vpn clients, you will need to go ahead and enable "ms-chap v2" under the tunnel-group PPP attributes and at the moment this is done, the Domain field will be displayed on the XAUTH prompt of the vpn client. As well the keyword "password-management" has to be enabled under the general-attributes.