×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Users VPN with ACS 5.3

Unanswered Question
Mar 22nd, 2012
User Badges:

Hi Experts


i  have ACS Appliance 5.3 , I have configured VPN Users to be  authenticated against the ACS internal database,but when i mark the  check box "change password on next login" than the vpn user unable to  connect using vpn client software ! pls can anybody come across this  issue?what is the solution let the vpn user change its own password and  login successfully ,BTW on ACS 4.1 it works perfectly , VPN Users Can change password in the next login




thanks


Jamil

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.1 (8 ratings)
Loading.
Dev Vishwakarma Thu, 03/22/2012 - 04:58
User Badges:
  • Cisco Employee,

Jamil,


There are a few things involved with the password change:


1] ACS should be configured to expire the password at next logon -- which you have done.

2] Under the ACS 5.3 Access Policy > Default Network Access (or your own service) > Allowed Protocol > MsChap v2 must be enabled.

3] VPN gateway (ASA) should have the password expiry or password management enabled for the tunnel group that the user is connecting to, this way the VPN gateway will be able to send the password in MsCHAP and then understand the Ms-CHAP error (to change the password) that will be sent by the ACS 5.3.


A quick way to test if the password expiry /management is enabled on the tunnel group is, to see if you are getting an additional text box of domain name, along with user and password text boxes on the VPN client during x-auth.


Regards,

Dev

Ibrahim Jamil Thu, 03/22/2012 - 05:39
User Badges:

Hi Dev


can u pls elaborate on point 3)



pls be noted on acs 4.1 it works perfectly


Thanks


Jamil

Dev Vishwakarma Thu, 03/22/2012 - 05:43
User Badges:
  • Cisco Employee,

Jamil,


The point 3 is more related if you are using Cisco's ASA as your VPN head-end/server. So please let me know what is the VPN server that you are using. Then I can explain the point in a better way.


Regards,

Dev

Ibrahim Jamil Thu, 03/22/2012 - 05:46
User Badges:

Hi Dev!


yes the vpn gateway is asa 5510 running 8.2 code


also pls post config for the point 3 if any,


thanks


jamil

Dev Vishwakarma Thu, 03/22/2012 - 05:59
User Badges:
  • Cisco Employee,

For the password change to work, ASA should be configured to allow/understand the password change request sent from ACS 5.3. The way we enable it on the ASA is:


hostname(config)# tunnel-group tunnel_group_name type remote-access


hostname(config-tunnel-general)# password-management


When you configure the password-management command, the ASA notifies the remote user at login that the user's  current password is about to expire or has expired. The ASA then offers  the user the opportunity to change the password. If the current password  has not yet expired, the user can still log in using that password. The  ASA ignores this command if RADIUS or LDAP authentication has not been  configured.


Note that this does not change the number of days before the password  expires, but rather, the number of days ahead of expiration that the ASA  starts warning the user that the password is about to expire.


Regards,

Dev

Ibrahim Jamil Thu, 03/22/2012 - 06:09
User Badges:

Hi Dev


in acs 4.1 for windows it works perfectly without asa config alteration, why with acs 5.3 we should configure the command u mentioned above to let it works?

i will try it and keep u posted


thanks a lot for ur help


Jamil

Dev Vishwakarma Sat, 03/24/2012 - 23:18
User Badges:
  • Cisco Employee,

Jamil, I can understand your reasoning. Lets dive a bit deeper into this. Please share the following information with me:



-show tech from asa


-debug output from asa 1] when connecting thru ACS 4.x and 2] when connecting thru ACS 5.x


Debug radius


Debug aaa common 255



-Screenshot of ACS 5.x > Monitoring Reports > AAA Protocol > Radius Authentication >



Regards,


Dev

Ibrahim Jamil Sun, 03/25/2012 - 10:01
User Badges:

Hi Dev


it works fine,but in the user VPN client software another filed appear name domain beside username password,this confuse a bit the VPN Users.is there any command to to let the domain disappear for the VPN Client software



Appreciate ur help


Jamil

Dev Vishwakarma Sun, 03/25/2012 - 23:52
User Badges:
  • Cisco Employee,

Hi Jamil,



As mentioned in one of my earlier post, another field will appear for Domain, and the reason is, you are turning on mschap on the ASA for authentication which by default has provision for AD Domain. At present there is no way to disable that extra field.



The best way is, to educate the users to ignore it. L



Regards,


Dev

Actions

This Discussion