Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1054
Views
0
Helpful
4
Replies

VPN user getting POP up window to change credentials

Go to solution
riteshmalpani
Level 1
Level 1

‎07-01-2009 12:36 AM - edited ‎03-10-2019 04:34 PM

Hello,

I have ACS (1113)4.2 which have been configured for External user database authentication. I have my VPN users configured on AD. Now I want the VPN users while connecting to ASA should change their passwords at the first logon.

Any help would be appreciated.

Regards

Ritesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to darpotter

‎07-01-2009 05:50 AM

Ritesh,

When using a Radius server it will only prompt you to change password once the password is expired or the 'user must change Password' option is checked in AD.

To enable password aging for VPN users we need to have to use following commands under tunnel general attribute mode,

hostname(config-tunnel-general)# password-management

When you enable password-management on the ASA it basically converts the radius requests to MS-CHAP v2 instead of PAP so that AD can pass down expiry information. All the ASA does is send an authentication request to the Radius server. It's up to the Radius server to notify the ASA that the

password is expired and act the go between for the ASA and AD.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngr

p.html#wp1166346

Regards,

~JG

Do rate helpful posts

View solution in original post

0 Helpful

Go to solution
darpotter
Level 5
Level 5
In response to riteshmalpani

‎07-01-2009 11:16 PM

ahhhh... TACACS+

Believe it or not, they did NOT hook the AD password change protocol into the TACACS+ password change mechanism.

So even though you can do T+ through to AD, if the AD server issues a challenge of any type the T+ auth will fail.

Thats the way the cookie crumbles :-(

View solution in original post

0 Helpful
4 Replies 4

Go to solution
darpotter
Level 5
Level 5

‎07-01-2009 02:28 AM

Memory fading... but I think the mschap v2 password change protocol was implemented in CSRadius.

However - the VPN server and supplicant would need to handle it too.

A microsoft supplicant should automatically work.In theory the VPN server should just pass the password change challenges back to the supplicant.

Lots of ifs and but Im afraid. See if anyone@cisco knows ;)

0 Helpful

Go to solution
riteshmalpani
Level 1
Level 1
In response to darpotter

‎07-01-2009 05:47 AM

Hi

I have done TACACS+ settings with my ASA and have created External database (AD).

When the VPN user tries to Login , he gets the username and password prompt. But thereater no prompts for changing credentials. I have also done settings for user "change password at Next Logon" in AD" .

When I check ACS it Says the authentication failed and "Windows password change failed".

Please help in this

regards

Ritesh

0 Helpful

Go to solution
darpotter
Level 5
Level 5
In response to riteshmalpani

‎07-01-2009 11:16 PM

ahhhh... TACACS+

Believe it or not, they did NOT hook the AD password change protocol into the TACACS+ password change mechanism.

So even though you can do T+ through to AD, if the AD server issues a challenge of any type the T+ auth will fail.

Thats the way the cookie crumbles :-(

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to darpotter

‎07-01-2009 05:50 AM

Ritesh,

When using a Radius server it will only prompt you to change password once the password is expired or the 'user must change Password' option is checked in AD.

To enable password aging for VPN users we need to have to use following commands under tunnel general attribute mode,

hostname(config-tunnel-general)# password-management

When you enable password-management on the ASA it basically converts the radius requests to MS-CHAP v2 instead of PAP so that AD can pass down expiry information. All the ASA does is send an authentication request to the Radius server. It's up to the Radius server to notify the ASA that the

password is expired and act the go between for the ASA and AD.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngr

p.html#wp1166346

Regards,

~JG

Do rate helpful posts

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents