Enable Win2K password changes for 3DES VPN Clients

Unanswered Question
Nov 15th, 2002
User Badges:


We're going to be implementing a password expiration policy and need VPN clients to be able to change them remotely. Currently we are using 3DES encryption with Windows 2000 authentication. When we change the Win2k account to "User must change pwd at next logon" they can no longer connct and are never presented with an option to change their password.

Is there any way to do this? Any input is appreciated.

Jim Carbone

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
insightexpress Fri, 11/15/2002 - 13:51
User Badges:

I forgot to mention we are using a 3005 VPN Concentrator running ver. 3.5.3.A

Thanks again -

Jim Carbone

doswald68 Mon, 11/18/2002 - 05:12
User Badges:

We have the same issue !!!, All the responses I have recieved from Cisco is no that is not an option.

travis-dennis_2 Mon, 11/18/2002 - 06:06
User Badges:
  • Gold, 750 points or more

Are you guys trying to change the password for users with the software client? If so, I have had success with having the user activate the "start before logon" activitythat launches the VPN client efore they log on to the PC. They connect, authenticate to the 3005 then are prompted to log into the Windows 2000 domain. This way they are actually logging into the domain instead of loggin in locally using cached credentials and they would not be able to change the passwords like that. w2k gets nuts when you try to do this. I am also using 3002s in Network extension mode and have no problems with password changes.

doswald68 Mon, 11/18/2002 - 06:34
User Badges:

I have not tried that but it presents some issues for us.

1.Multible logons for the same user ( management wants one logon otherwise it is confusing for them )

2. Multiple databases to maintain.

3. People can logon to the Network without authenticating to the domain, thus every time someone leaves the company I have to change the Group password.

Maybe I am missing some other way to configure the concentrator, but I have tested this in multiple ways and the best way for us is to require users to authenticate to both the concentrator and the domain at the same time, thus if one or the other authentication fails they do not get connected. I also have issue with the fact that we cannot run our logon scripts when users logon.

Thoughts ?

travis-dennis_2 Sat, 11/23/2002 - 19:10
User Badges:
  • Gold, 750 points or more

To clarify what I am doing, I have a 3005 at the central site, 3002s at the remote sites using Network Extension Mode and a w2k AD Domain. The users at the remote sites have PCs that belong to the domain. They log on and off just as if they were local. One log on and they are connected to the domain. No need for multiple logons. SInce I am running in Network Extension mode users can change their passwords just like local since Network Extension Mode does pretty much what it is called..extends the network. When you delete a users acount that user can no longer log onto a PC and hence, no network access. For the truly security minded you can also use Xauth to further protect network resources. I have also had success with doing this with the software client but they HAVE to use "Start before Logon" and establish the tunnel BEFORE they log onto the PC.


This Discussion