VPN - Prompt to for user to change SSL Client password

Unanswered Question
Feb 25th, 2009
User Badges:

Please tell me if there is a way for the user to change their own password once they login with the SSL VPN Client. I would like for my users to have to change their password after first login & after so many days. Is it possible for users to change their login password for the SSL VPN Client?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Anonymous (not verified) Tue, 03/03/2009 - 12:06
User Badges:

Optionally, you can configure the security appliance to warn end users when their passwords are about to expire. To do this, you specify the password-management command in tunnel-group general-attributes mode or enable the feature using ASDM at Configuration > Remote Access VPN > Clientless SSL VPN Access > Connection Profiles > Add or Edit > Advanced > General > Password Management.

The security appliance supports password management for the RADIUS and LDAP protocols. It supports the "password-expire-in-days" option for LDAP only.

You can configure password management for IPSec remote access and SSL VPN tunnel-groups.

When you configure password management, the security appliance notifies the remote user at login that the user's current password is about to expire or has expired. The security appliance then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password.

This command is valid for AAA servers that support such notification. The security appliance ignores this command if RADIUS or LDAP authentication has not been configured.

bsn1980in Tue, 05/26/2009 - 23:00
User Badges:

I also have similar requirement:

I have ACS 4.2 and ASA 5550. I have configured IPSec VPN on ASA and getting remote users authenticated through ACS. It is working fine.

Now, I need, if a remote user login to VPN for first time, he must be prompted for username and password change.

I am not sure whether ACS or ASA must prompt for the same OR even this is possible. Please suggest.


s0324681 Wed, 05/27/2009 - 06:44
User Badges:

Yes, it is possible. If the user is being authenticated via RADIUS or LDAP (possibly even TACACS) you can enable password management, which will allow a user to change their password. However, the user cannot initiate the change. That is controlled by the domain group policy (assuming Windows AD). The ASA itself has no knowledge of this and I don't believe you can do this with local user accounts. Probably the best thing would be to search on "configuring password management on ASA" or something like that. If you are authenticating directly to AD instead of using RADIUS, then you must use port 389 for LDAP. 3268 will work for authentication, but is read only and cannot work with password management.

bsn1980in Wed, 07/01/2009 - 03:20
User Badges:


Now, I have Windows AD configured and integrated with ACS. ACS is integrated with ASA.

Now, if I connect to remote VPN, ASA prompt for username and password. That username is configured on Windows AD and the authentication is happening properly. Hence communication between ASA - ACS - AD is happening properly.

Now, my requirement is to enable or prompt remote VPN User for "password change". If I enable "password change on first time login" on AD user profile, authentication of the said user is failed.

Can any one comment, how we can acheive same?


Jagdeep Gambhir Wed, 07/01/2009 - 08:56
User Badges:
  • Red, 2250 points or more

When using a Radius server it will only prompt you to change password once the password is expired or the 'user must change Password' option is checked in AD.

To enable password aging for VPN users we need to have to use following commands under tunnel general attribute mode,

hostname(config-tunnel-general)# password-management

When you enable password-management on the ASA it basically converts the radius requests to MS-CHAP v2 instead of PAP so that AD can pass down expiry information. All the ASA does is send an authentication request to the Radius server. It's up to the Radius server to notify the ASA that the

password is expired and act the go between for the ASA and AD.





Do rate helpful posts

mgaysek Thu, 07/23/2009 - 11:30
User Badges:

I am currently having a problem with this. My users are being properly prompted to change their password, but it continues to fail. I have confirmed this is not related to any password complexity issues or problems. Authentication itself works fine.

mgaysek Thu, 07/23/2009 - 12:14
User Badges:

I figured this out. The account the ASA was configured to use did not have the privileges to change passwords.

guoqiang.li Thu, 07/30/2009 - 00:29
User Badges:

I try in lab,but can't get the first logon password change.

if a remote user login to VPN for first time, he still can logon vpn,but the second logon is fail.can't be prompted for username the password change.


This Discussion