I have ACS (1113)4.2 which have been configured for External user database authentication. I have my VPN users configured on AD. Now I want the VPN users while connecting to ASA should change their passwords at the first logon.
Any help would be appreciated.
Believe it or not, they did NOT hook the AD password change protocol into the TACACS+ password change mechanism.
So even though you can do T+ through to AD, if the AD server issues a challenge of any type the T+ auth will fail.
Thats the way the cookie crumbles :-(
When using a Radius server it will only prompt you to change password once the password is expired or the 'user must change Password' option is checked in AD.
To enable password aging for VPN users we need to have to use following commands under tunnel general attribute mode,
When you enable password-management on the ASA it basically converts the radius requests to MS-CHAP v2 instead of PAP so that AD can pass down expiry information. All the ASA does is send an authentication request to the Radius server. It's up to the Radius server to notify the ASA that the
password is expired and act the go between for the ASA and AD.
Do rate helpful posts