Password expiration in Cisco VPN Client using ACS with Windows Database

Unanswered Question
May 20th, 2010

How do I configure password expiration in Cisco VPN client if the user account is in Windows Database?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
@mmorfejr Fri, 05/21/2010 - 02:48

Hi Ganesh,

Thanks for taking time to answer my question, unfortunately I forgot to metion that I'm using a PIX 525 firewall and not a Cisco IOS although I was able to modify some setting in my ACS and Windows AD, it still doesn't work. I think there are still some items that needs to be reconfigured on the firewall.

Would you be able to send me a link as well using a PIX firewall?


hdashnau Fri, 05/21/2010 - 11:57


Password management on pix/asa is a simple matter. To enable it just add "password-management" to your remote access tunnel-group. There is an additional part of this command called expire-in-days. Note that you can only use expire-in-days if you are using ldap authentication to your AD server. expire-in-days will not work with radius authentication to IAS and then to AD. One other thing to keep in mind, is that for ldap authentication you need to make sure the login-dn in your ldap aaa server group has admin rights (to be able to change passwords in AD) and you should use ldap-over-ssl.

You can read more about password-management in the pix/asa here:


hdashnau Tue, 05/25/2010 - 16:14

P.S. If I have answered your question please mark the post as resolved  and rate the responses. This helps us more easily identify which  questions remain unanswered and let us know how we are doing. Thanks in  advance!

@mmorfejr Wed, 05/26/2010 - 13:57

Thanks Header. I agree with you that password management is just a simple

matter in fact it was already part of my configuration. Unfortunately it

still doesnt work.

According to this link. "Password management is not supported for any of

these connection types for Kerberos/Active Directory (Windows password) or

NT 4.0 Domain. The RADIUS server (for example, Cisco ACS) could proxy the

authentication request to another authentication server. However, from the

security appliance perspective, it is talking only to a RADIUS server. "

From the Cisco ACS failed attempt report it shows that "Windows password

change failed" and that the root cause is configuration issue.


However, I'm not sure what is incorrectly configured. I've raise a TAC for

this already.

@mmorfejr Wed, 05/26/2010 - 13:59

I have responded to this email twice because I always get redirected to

Page Expired

To protect privacy and enhance security, the page you are trying to access

is no longer available.

when I try to reply via web browser. Not sure why but my email reply post

doesn't get posted as well.

@mmorfejr Wed, 05/26/2010 - 14:15

To add:

ACS is already setup to use windows database. Users can already

authenticate using their accounts in windows database. However, when their

password expires or when their user account is newly created with option

"user must change password at next logon" check, they couldn't change it in

Cisco VPN client.

Windows user option is already configured to allow Dial-In.



This Discussion