Cisco ASA with LDAP over SSL

Unanswered Question
Aug 27th, 2009

I have configured a solution where, when VPN users login they are authenticated using secure-ldap by a Windows AD server. I carried out several tests with the following results:

On the AD server - Prompt user to change password at next logon - PASS

On the AD server - Force users to change password when expiry trigger hit - PASS

On the AD server - Disable windows account to make sure this is reported when logging in via VPN client - PASS

On the AD server - Expire an account to make sure this is reported when logging in via VPN client - PASS

On the AD server - Enforced password minimum length and make sure password change occurs when condition is met and does not when condition is not - PASS

On the AD server - Enforced pass\word complexity and make sure password change occurs when condition is met and does not when condition is not - PASS

Triggered account lockout on the AD server to make sure this is reported when users login via VPN - PASS

The only thing I tested so far that does not appear to function is when "password history" is enabled on the AD server. A user is still able to change their password to one previously used.

Does anyone know if this should or should not work, and if it does what I may need to confgiure and where.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Fri, 08/28/2009 - 06:28

Does the password history capability work from a host connected to the LAN? If not, you may want to check out http://support.microsoft.com/kb/906305. I would have to lab test this to confirm but based on bug CSCsd60392, I don't believe that this capability exists in the current ASA code.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsd60392

Actions

This Discussion