04-16-2010 05:38 AM
VPN Client Password Expiry issue.
ASA 5510 running 8.2(1) image
Cisco VPN Client 5.0.01.0600
Windows Active Directory server 2003
I am currently having issues with the password expiry feature within remote connections authenticating with the Active Directory server.
The Secure LDAP connection is configured and working with user authenticating with Active Directory and getting the correct dynamic policy based on the AD group Membership.
If I set the ‘Users must Change password at next login’ flag on the Active directory user account, the remote user is prompted to enter a new password at the first login as expected. I have entered the ‘Password management’ command on the ASA profile to achieve this, however I was also expecting to get a warning message telling the users ‘Password will expire in n days’ this does not occur.
I have set up an account that has the password due to expire in 12 days, logged into a local windows system to ensure the message is definitely being displayed and the password is set to time out, I have also set ‘password-management password-expire-in-days 14’ (have tried other values) on the ASA. However the ASA log states the password has expired and aborts the connection.
What do I need to do to get this warning message to the end-remote user.
Any assistance is gratefully received.
Cheers
Steve
aaa-server LDAP-RAS-ACCESS protocol ldap
aaa-server LDAP-RAS-ACCESS (inside) host B-ACS-LDAP-SERVER
timeout 5
server-port 636
ldap-base-dn cn=Users,dc=testrig,dc=company,dc=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=administrator,cn=Users,dc=testrig,dc=company,dc=com
ldap-over-ssl enable
server-type microsoft
!
tunnel-group LDAP-RAS-ACCESS type remote-access
tunnel-group LDAP-RAS-ACCESS general-attributes
address-pool RAS-VPN-POOL
authentication-server-group LDAP-RAS-ACCESS
authentication-server-group (inside) LDAP-RAS-ACCESS
accounting-server-group ACS-RAS-ACCESS
strip-realm
password-management password-expire-in-days 13
strip-group
tunnel-group LDAP-RAS-ACCESS ipsec-attributes
pre-shared-key *
tunnel-group LDAP-RAS-ACCESS ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
04-16-2010 05:52 AM
Do you have group-lock configured too? If you do, looks like you are hitting bugID: CSCsy80242:
04-16-2010 06:10 AM
Hello
Thanks for the fast response, I am currently using the default group policy and the group-lock is set to none.
group-lock none
Regards
Steve
04-16-2010 06:36 AM
Ok, seems to be this bugID CSCsy52125 - pswd-mgmt w/IPSec Client - pssword expires in X days broken
Unfortunately it's an internal bug, so you can't view it through the bug tool kit. The fix is in ASA version 8.2.1(10).
04-19-2010 12:44 AM
I have upgraded to version 8.2(2) and am still experiencing the same problem.
I have an account with a password expirying in 10 days, if I set the 'Password Management' on the ASA to anything less than 10 days the user is allowed access, however if I set it to 10 days or more there are no expiry warning messages and the user is denied access, the ASA log shows the password expirying.
5|Apr 19 2010|10:28:06|713904|||||IP = 192.168.20.102, Received encrypted packet with no matching SA, dropping
3|Apr 19 2010|10:28:06|713194|||||Group = LDAP-RAS-ACCESS, Username = me, IP = 192.168.20.102, Sending IKE Delete With Reason message: No Reason Provided.
3|Apr 19 2010|10:28:06|713048|||||Group = LDAP-RAS-ACCESS, Username = me, IP = 192.168.20.102, Error processing payload: Payload ID: 14
6|Apr 19 2010|10:28:06|725007|10.20.10.14|22452|||SSL session with server inside:10.20.10.14/22452 terminated.
6|Apr 19 2010|10:28:06|113005|||||AAA user authentication Rejected : reason = Password is expiring : server = B-ACS-LDAP-SERVER : user = me
6|Apr 19 2010|10:28:06|725002|10.20.10.14|22452|||Device completed SSL handshake with server inside:10.20.10.14/22452
6|Apr 19 2010|10:28:06|725005|10.20.10.14|22452|||SSL server inside:10.20.10.14/22452 requesting our device certificate for authentication.
6|Apr 19 2010|10:28:06|725001|10.20.10.14|22452|||Starting SSL handshake with server inside:10.20.10.14/22452 for TLSv1 session.
Cheers
04-19-2010 12:48 AM
You might want to check with TAC if 8.2.2 has the bug fix.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide