SSL VPN password change / notification

Answered Question
Jul 6th, 2011

Has any one got a working setup for SSL VPN users in regards to notification about password is going to expire and then providing the VPN user the opportunity to change password during the VPN login process, involving ASA5520 - ACS Radius server - Active Directory



Our VPN users are connecting with Cisco Any Connect VPN Client V.2.5.3046 to a ASA5520 running 8.4(1), all user validation is handled via Radius though a Cisco ACS 5.2 server, which in turn validates the users up against MS Active Directory.

For the relevant connection profile on the ASA, the options Advanced / General/ Password Management / Enable password management has been selected together with the Notify user 14 days prior to password expiration, as mentioned its connecting to a Cisco ACS Radius server with MSCHAPv2 enabled on both the ASA and ACS.

On the ACS server under users and Identity Stores > External Identity Stores > Active Directory we have a successful bind to the AD, the values End User Authentication Settings > Enable password change has been selected.

Just to make sure the password notification function is working in the first place I change the ASA5520 AAA Server group to use LDAP instead of Radius and configured a direct path towards one of our domain controllers, sure enough when the user logged in he got a notification about the password would expire in xx days and then provided with a option to change the password right away or just connect with the current password.

The thing is I don’t want to just use LDAP for VPN authentication, I have quite a expensive setup on the ACS servers with unique ACL's for various group of employees and especially for external consultants, I also use the ACS for customization for webpage and resources when Web VPN is used.

Can it really be so that password expiration notification only works using LDAP, and if this is really the case, is there any way to configure Dual Authentication, so I could first validate the user against LDAP and next against the ACS??

(Side note: I tried to configure the ASA to use LDAP as normal Authentication and then the ACS as Authorization, but it failed, first off because the ASA started to use PAP/ASCII against the ACS and even if I allowed that, it seemed like the ASA wasn’t parsing the users password onwards, with the result that ACS failed and the user account ended up getting locked out in the AD).

Any insight, pointers or help would be greatly appreciated.

I have this problem too.
0 votes
Correct Answer by hebaerte about 2 years 9 months ago

Hi Rene

Gustavo is correct, however please note that with double authentication (or Secondary authentication in ASA/ASDM terminology) the user will be presented with 2 username fields and 2 password fields on the login screen.

The second username field can be hidden (see the config guide, don't know the command off the top of my head) but the user will still have to enter 2 passwords (since this is meant to be used with 2 different auth servers, usually one of them is a one-time-password system).

In your case the 2 passwords will be the same, so you could apply a 'hack' so that the user only has to enter it once: create a customization, enable the Information Panel, and enter the following javascript code in the "Text" field:

// hide the secondary password label ("field") and input field ("input")

obj=document.getElementById("secondary_password_input");

if(obj) {

  obj.style.visibility = "hidden"; }

obj=document.getElementById("secondary_password_field");

if(obj) {

  obj.style.visibility = "hidden"; }

function CopyPrimaryPasswordToSecondary() {

  obj1=document.getElementById('password_input');

  obj2=document.getElementById('secondary_password_input');

  obj2.value=obj1.value;

  obj=document.getElementById('unicorn_form');

  obj.onsubmit=submit_orig;

}

obj=document.getElementById('unicorn_form');

if(obj){

submit_orig=obj.onsubmit;

obj.onsubmit= CopyPrimaryPasswordToSecondary;

}

In case you're not familiar with javascript, what this does is:

- hide the secondary password prompt

-  when you click the Logon button, it copies the content of the (primary)  password field to the (now hidden) secondary password field, then  submits the form.

Note that this is not officially supported, e.g. it may break when you upgrade the ASA etc.

Also  note that the dual auth will make it seem to your AD that each user  logs in twice, with only a few milliseconds in between; I don't expect  this to be a problem but I'm not an AD expert.

Also not sure what exactly will happen when there is an actual password change... sorry don't have time to test this right now (and I will be out the next 2 weeks).

hth

Herbert

PS: LDAP authentication with Radius authorization could indeed also be an  option, but as you noticed for Radius authorization the ASA does not send the  user's password, instead it sends either a common password (that you can  configure but is the same for all users), or it sends the username as the password.  (Reason for this is that Radius authorization is normally used with  certificate authentication so there is no password.)

Correct Answer by josemed about 2 years 9 months ago

Hello Rene,

*Correct the "password-expire-in-days" option is for LDAP only.

*If you use double authentication and enable  password management in the tunnel group, then the primary and secondary  authentication requests include MS-CHAPv2 request attributes.

*Yes you can configure Double Authentication.

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/webvpn.html#wp1000458

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/access_aaa.html#wp1331535

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1243545

Regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (3 ratings)
Correct Answer
josemed Mon, 07/11/2011 - 23:05

Hello Rene,

*Correct the "password-expire-in-days" option is for LDAP only.

*If you use double authentication and enable  password management in the tunnel group, then the primary and secondary  authentication requests include MS-CHAPv2 request attributes.

*Yes you can configure Double Authentication.

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/webvpn.html#wp1000458

http://www.cisco.com/en/US/partner/docs/security/asa/asa84/configuration/guide/access_aaa.html#wp1331535

http://www.cisco.com/en/US/partner/docs/security/asa/asa82/configuration/guide/vpngrp.html#wp1243545

Regards,

Correct Answer
hebaerte Thu, 07/14/2011 - 00:47

Hi Rene

Gustavo is correct, however please note that with double authentication (or Secondary authentication in ASA/ASDM terminology) the user will be presented with 2 username fields and 2 password fields on the login screen.

The second username field can be hidden (see the config guide, don't know the command off the top of my head) but the user will still have to enter 2 passwords (since this is meant to be used with 2 different auth servers, usually one of them is a one-time-password system).

In your case the 2 passwords will be the same, so you could apply a 'hack' so that the user only has to enter it once: create a customization, enable the Information Panel, and enter the following javascript code in the "Text" field:

// hide the secondary password label ("field") and input field ("input")

obj=document.getElementById("secondary_password_input");

if(obj) {

  obj.style.visibility = "hidden"; }

obj=document.getElementById("secondary_password_field");

if(obj) {

  obj.style.visibility = "hidden"; }

function CopyPrimaryPasswordToSecondary() {

  obj1=document.getElementById('password_input');

  obj2=document.getElementById('secondary_password_input');

  obj2.value=obj1.value;

  obj=document.getElementById('unicorn_form');

  obj.onsubmit=submit_orig;

}

obj=document.getElementById('unicorn_form');

if(obj){

submit_orig=obj.onsubmit;

obj.onsubmit= CopyPrimaryPasswordToSecondary;

}

In case you're not familiar with javascript, what this does is:

- hide the secondary password prompt

-  when you click the Logon button, it copies the content of the (primary)  password field to the (now hidden) secondary password field, then  submits the form.

Note that this is not officially supported, e.g. it may break when you upgrade the ASA etc.

Also  note that the dual auth will make it seem to your AD that each user  logs in twice, with only a few milliseconds in between; I don't expect  this to be a problem but I'm not an AD expert.

Also not sure what exactly will happen when there is an actual password change... sorry don't have time to test this right now (and I will be out the next 2 weeks).

hth

Herbert

PS: LDAP authentication with Radius authorization could indeed also be an  option, but as you noticed for Radius authorization the ASA does not send the  user's password, instead it sends either a common password (that you can  configure but is the same for all users), or it sends the username as the password.  (Reason for this is that Radius authorization is normally used with  certificate authentication so there is no password.)

rkirkeby Thu, 07/14/2011 - 04:45

Dear Gustavo and Herbert thank you both for taking the time to reply to this issue.

You have both confirmed the initial question that password-expire-in-days" option is for LDAP only and addressed some interesting alternatives to how to work around this.

Time do not allow me to progress on this matter for the next could of weeks, but I will read though your comments and suggestions very carefully to see some or it can be used to obtain the utimate goal.

Thanks for your time, once I get the chance to revisit this issue I will update the case.

Best Regards

René Kirkeby

rkirkeby Tue, 07/19/2011 - 03:02

I allowed my own password to expire in the AD to see what would happend when trying to log in via VPN with an account which password is expired.

Once connected the Any Connect Client informed me that the password had expired and provided a dialog to updated, since the overall goal was to provide remote users this ability it seems the current setup will forefill the task.

Maybe I initially confused the fact that if password-expire-in-days notification wasnt working, then it wouldnt work as well once the password actual expired.

Thank you Gustavo and Herbert for the verification of LDAP functionality and providing alternative solutions to this case.

Case closed.

Actions

Login or Register to take actions

This Discussion

Posted July 6, 2011 at 4:23 AM
Stats:
Replies:4 Avg. Rating:
Views:2190 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard