Cisco ASA with LDAP over SSL

paultribe · ‎08-27-2009

I have configured a solution where, when VPN users login they are authenticated using secure-ldap by a Windows AD server. I carried out several tests with the following results:

On the AD server - Prompt user to change password at next logon - PASS

On the AD server - Force users to change password when expiry trigger hit - PASS

On the AD server - Disable windows account to make sure this is reported when logging in via VPN client - PASS

On the AD server - Expire an account to make sure this is reported when logging in via VPN client - PASS

On the AD server - Enforced password minimum length and make sure password change occurs when condition is met and does not when condition is not - PASS

On the AD server - Enforced pass\word complexity and make sure password change occurs when condition is met and does not when condition is not - PASS

Triggered account lockout on the AD server to make sure this is reported when users login via VPN - PASS

The only thing I tested so far that does not appear to function is when "password history" is enabled on the AD server. A user is still able to change their password to one previously used.

Does anyone know if this should or should not work, and if it does what I may need to confgiure and where.

Todd Pula · ‎08-28-2009

Does the password history capability work from a host connected to the LAN? If not, you may want to check out http://support.microsoft.com/kb/906305. I would have to lab test this to confirm but based on bug CSCsd60392, I don't believe that this capability exists in the current ASA code.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsd60392