VPN Client Password Expiry issue.
ASA 5510 running 8.2(1) image
Cisco VPN Client 5.0.01.0600
Windows Active Directory server 2003
I am currently having issues with the password expiry feature within remote connections authenticating with the Active Directory server.
The Secure LDAP connection is configured and working with user authenticating with Active Directory and getting the correct dynamic policy based on the AD group Membership.
If I set the ‘Users must Change password at next login’ flag on the Active directory user account, the remote user is prompted to enter a new password at the first login as expected. I have entered the ‘Password management’ command on the ASA profile to achieve this, however I was also expecting to get a warning message telling the users ‘Password will expire in n days’ this does not occur.
I have set up an account that has the password due to expire in 12 days, logged into a local windows system to ensure the message is definitely being displayed and the password is set to time out, I have also set ‘password-management password-expire-in-days 14’ (have tried other values) on the ASA. However the ASA log states the password has expired and aborts the connection.
What do I need to do to get this warning message to the end-remote user.
Any assistance is gratefully received.
aaa-server LDAP-RAS-ACCESS protocol ldap
aaa-server LDAP-RAS-ACCESS (inside) host B-ACS-LDAP-SERVER
tunnel-group LDAP-RAS-ACCESS type remote-access
tunnel-group LDAP-RAS-ACCESS general-attributes
authentication-server-group (inside) LDAP-RAS-ACCESS
password-management password-expire-in-days 13
tunnel-group LDAP-RAS-ACCESS ipsec-attributes
tunnel-group LDAP-RAS-ACCESS ppp-attributes
no authentication chap
no authentication ms-chap-v1