Password aging with VPN Client not working

Unanswered Question
Dec 15th, 2009
User Badges:

I need to force the Cisco VPN client to change his password on first login. In my setup I have the vpn client username locally created in a Cisco ACS 4.1 Database and we are stablishing the VPN Remote Access tunnel to a ASA5510 version 8.2.

So in ACS I went to password aging rules and clicked the Passsword expires on first login, then I tried to login and connect but then authentication failed with no pop up window to force the customer to change his password. When I see the ACS logs I can see that the password has expired, but I'm never asked to change the password on the vpn client.


I also have the password-management (previously radius-with-expiry) option enabled on the tunnel-group general attributes of the ASA5510.


So how can I enable the user to change his password and show pop-up window for him to change it?


Regards,



Fernando Aguirre

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Sat, 12/19/2009 - 05:39
User Badges:
  • Cisco Employee,

Fernando:


Going through your post, I noticed that you have "password-management" enabled under the concern tunnel-group to use password expiry feature for VPN clients.

The command is correct beacuse radius-with-expiry was deprecated from 7.1.1. The password-management command replaces it. The no form of the radius-with-expiry command is no  longer supported.

Since you have user created on cisco ACS  (radius server) this will not work with password aging feature.
It will only work if user is on Windows database. The password policy should only be configured on the windows user database.


For VPN users, if we are using radius with expiry/ radius (proxy to AD) and ACS using Active Directory as the back end database, we cannot send any warning messages to the end client about the days remaining for their password to expire. The password expiry will happen through ACS, when the change is required, and it is only at that moment user will be prompted to change the password. But users won’t get the any pre-warning messages.


You have to use windows database if you want to use ACS as a radius server OR you can use direct LDAP database bypassing the ACS. With LDAP, you can also get warning message that password will be expired in N number of days unlike radius.


If we are using ASA/PIX version 7.2 or above and if you want that warming message to appear, then you can try configuring ASA for LDAP authentication rather than RADIUS authentication. And for LDAP authentication, you would be required to configure the firewall appropriately and then make use of password-expiry feature on ASA


Configuring Microsoft Active Directory Settings for Password Management:


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wp1166214


Configuring IPSec Remote-Access Connection Profile General Attributes (refer to Step 9):


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wp1133080


Do let me know if you need any further assistance on this.



HTH

JK


Pls rate helpful posts-

Actions

This Discussion