Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 3.3 Authenticating VPN users on ASA5500

I am currently migrating VPN services from a Cisco 3015 concentrator to our new ASA 5540's using ACS 3.3 (appliance) for authentication. I have created a group on the ACS and added some test users and all works well. The next thing I wanted to do was to assign users and force them to change their passwords upon the first successful login. When I check "apply password change rule" under the "password aging rules" of the ACS group properties, I fail to get a prompt asking me to change the password and the ACS sets the user account to expired after the first login. Thank you for your help.

  • AAA Identity and NAC

Re: ACS 3.3 Authenticating VPN users on ASA5500

From the description, it seems like that you are using local ACS database.

You can check the variety of Password change that ACS can support,

Basically there are four types,

First two are only applicable, when we have user in Windows Database.

Third one is only applicable if we have user in local database, but we are using Tacacs+ as the authentication protocol.

And the last one says,

"Password Aging for Transit Sessions-Users must be in the CiscoSecure user database. Users must use a PPP dialup client. Further, the end-user client must have CiscoSecure Authentication Agent (CAA) installed."

From my experience, there has been only one/two instances out of ten where I have seen this kind of setup working, when we have installed CAA and Cisco VPN Client together, and user is on local ACS database, to get it to work.

And this was in the case when Cu were using ACS 3.3.x and some lower version of VPN Client.

But if you have user on Window database, it works like a charm, using password management command on ASA,

hostname(config)# tunnel-group general-attributes

hostname(config-tunnel-general)# password-management

CAA is on installation/Upgrade CD of ACS SE.

Summarizing, I am not sure if this will work using local database of ACS.

Other solution that you can look into is UCP.

A utility that is used for changing password for local users on ACS database.

Again, UCP is not that flexible, i.e., you cannot change password through this utility, if password has already been expired etc.



This widget could not be displayed.