07-01-2009 12:36 AM - edited 03-10-2019 04:34 PM
Hello,
I have ACS (1113)4.2 which have been configured for External user database authentication. I have my VPN users configured on AD. Now I want the VPN users while connecting to ASA should change their passwords at the first logon.
Any help would be appreciated.
Regards
Ritesh
Solved! Go to Solution.
07-01-2009 05:50 AM
Ritesh,
When using a Radius server it will only prompt you to change password once the password is expired or the 'user must change Password' option is checked in AD.
To enable password aging for VPN users we need to have to use following commands under tunnel general attribute mode,
hostname(config-tunnel-general)# password-management
When you enable password-management on the ASA it basically converts the radius requests to MS-CHAP v2 instead of PAP so that AD can pass down expiry information. All the ASA does is send an authentication request to the Radius server. It's up to the Radius server to notify the ASA that the
password is expired and act the go between for the ASA and AD.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngr
p.html#wp1166346
Regards,
~JG
Do rate helpful posts
07-01-2009 11:16 PM
ahhhh... TACACS+
Believe it or not, they did NOT hook the AD password change protocol into the TACACS+ password change mechanism.
So even though you can do T+ through to AD, if the AD server issues a challenge of any type the T+ auth will fail.
Thats the way the cookie crumbles :-(
07-01-2009 02:28 AM
Memory fading... but I think the mschap v2 password change protocol was implemented in CSRadius.
However - the VPN server and supplicant would need to handle it too.
A microsoft supplicant should automatically work.In theory the VPN server should just pass the password change challenges back to the supplicant.
Lots of ifs and but Im afraid. See if anyone@cisco knows ;)
07-01-2009 05:47 AM
Hi
I have done TACACS+ settings with my ASA and have created External database (AD).
When the VPN user tries to Login , he gets the username and password prompt. But thereater no prompts for changing credentials. I have also done settings for user "change password at Next Logon" in AD" .
When I check ACS it Says the authentication failed and "Windows password change failed".
Please help in this
regards
Ritesh
07-01-2009 11:16 PM
ahhhh... TACACS+
Believe it or not, they did NOT hook the AD password change protocol into the TACACS+ password change mechanism.
So even though you can do T+ through to AD, if the AD server issues a challenge of any type the T+ auth will fail.
Thats the way the cookie crumbles :-(
07-01-2009 05:50 AM
Ritesh,
When using a Radius server it will only prompt you to change password once the password is expired or the 'user must change Password' option is checked in AD.
To enable password aging for VPN users we need to have to use following commands under tunnel general attribute mode,
hostname(config-tunnel-general)# password-management
When you enable password-management on the ASA it basically converts the radius requests to MS-CHAP v2 instead of PAP so that AD can pass down expiry information. All the ASA does is send an authentication request to the Radius server. It's up to the Radius server to notify the ASA that the
password is expired and act the go between for the ASA and AD.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngr
p.html#wp1166346
Regards,
~JG
Do rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: