I am currently migrating VPN services from a Cisco 3015 concentrator to our new ASA 5540's using ACS 3.3 (appliance) for authentication. I have created a group on the ACS and added some test users and all works well. The next thing I wanted to do was to assign users and force them to change their passwords upon the first successful login. When I check "apply password change rule" under the "password aging rules" of the ACS group properties, I fail to get a prompt asking me to change the password and the ACS sets the user account to expired after the first login. Thank you for your help.
First two are only applicable, when we have user in Windows Database.
Third one is only applicable if we have user in local database, but we are using Tacacs+ as the authentication protocol.
And the last one says,
"Password Aging for Transit Sessions-Users must be in the CiscoSecure user database. Users must use a PPP dialup client. Further, the end-user client must have CiscoSecure Authentication Agent (CAA) installed."
From my experience, there has been only one/two instances out of ten where I have seen this kind of setup working, when we have installed CAA and Cisco VPN Client together, and user is on local ACS database, to get it to work.
And this was in the case when Cu were using ACS 3.3.x and some lower version of VPN Client.
But if you have user on Window database, it works like a charm, using password management command on ASA,
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...