05-20-2010 01:51 PM
How do I configure password expiration in Cisco VPN client if the user account is in Windows Database?
05-21-2010 12:50 AM
How do I configure password expiration in Cisco VPN client if the user account is in Windows Database?
Hi,
Check out the below link hope that helps !!
Ganesh.H
Remember to rate the helpful post
05-21-2010 02:48 AM
Hi Ganesh,
Thanks for taking time to answer my question, unfortunately I forgot to metion that I'm using a PIX 525 firewall and not a Cisco IOS although I was able to modify some setting in my ACS and Windows AD, it still doesn't work. I think there are still some items that needs to be reconfigured on the firewall.
Would you be able to send me a link as well using a PIX firewall?
Thanks!
05-21-2010 11:57 AM
Hi,
Password management on pix/asa is a simple matter. To enable it just add "password-management" to your remote access tunnel-group. There is an additional part of this command called expire-in-days. Note that you can only use expire-in-days if you are using ldap authentication to your AD server. expire-in-days will not work with radius authentication to IAS and then to AD. One other thing to keep in mind, is that for ldap authentication you need to make sure the login-dn in your ldap aaa server group has admin rights (to be able to change passwords in AD) and you should use ldap-over-ssl.
You can read more about password-management in the pix/asa here:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1879916
-heather
05-25-2010 04:14 PM
P.S. If I have answered your question please mark the post as resolved and rate the responses. This helps us more easily identify which questions remain unanswered and let us know how we are doing. Thanks in advance!
05-26-2010 01:57 PM
Thanks Header. I agree with you that password management is just a simple
matter in fact it was already part of my configuration. Unfortunately it
still doesnt work.
According to this link. "Password management is not supported for any of
these connection types for Kerberos/Active Directory (Windows password) or
NT 4.0 Domain. The RADIUS server (for example, Cisco ACS) could proxy the
authentication request to another authentication server. However, from the
security appliance perspective, it is talking only to a RADIUS server. "
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1879916
From the Cisco ACS failed attempt report it shows that "Windows password
change failed" and that the root cause is configuration issue.
https://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1.3
/troubleshooting/guide/ecodes.html
However, I'm not sure what is incorrectly configured. I've raise a TAC for
this already.
05-26-2010 01:59 PM
I have responded to this email twice because I always get redirected to
Page Expired
To protect privacy and enhance security, the page you are trying to access
is no longer available.
when I try to reply via web browser. Not sure why but my email reply post
doesn't get posted as well.
05-26-2010 02:15 PM
To add:
ACS is already setup to use windows database. Users can already
authenticate using their accounts in windows database. However, when their
password expires or when their user account is newly created with option
"user must change password at next logon" check, they couldn't change it in
Cisco VPN client.
Windows user option is already configured to allow Dial-In.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide