Re: ACS 4.2 - External DB Password Expiry not working as expecte

glenn.ong · ‎05-04-2009

The setup is a VPN Client 5.0 connecting using a VPN Concentrator 3015 (Using RADIUS with password expiry). ACS is setup using a External DB (Windows2k3 DC) with MC-CHAPv1/v2 password changes enabled.

Everything is working. However, when user password is expired the client does not prompt for password change.

ACS can see the failed attemps as 'Authen-Failure-Code - Windows user must change password'. Without the prompt however, the user cannot change his/her password.

Any feedback is welcome. Thanks.

Jagdeep Gambhir · ‎05-05-2009

Hi,

Please make sure it is configured as per this link,

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_configuration_example09186a00800946b9.shtml

Regards,

~JG

Do rate helpful posts

glenn.ong · ‎05-05-2009

Hi JG,

Thanks for the reply. The exact guide has been followed as closely as possible (but not to the dot as some fields are missing due to version differences) but the issue persists.

Wondering if there's any known bug/gotchas for this spec:-

- Cisco ACS v4.2 (Running on 1113 SE)

- Win2K3 Enterprise/DC running ACS RA 4.2.0.124-k9 (isolated native domain - no child/trusted r'ship setup)

- VPN Concentrator 3015 v4.7.2

- VPN client 5.0.00.0340

Straight authentication is definitely ok - it's just the password expiry prompt not given. The system admin has assured me the AD is running ok but I wonder if there's any special configuration that we should be especially aware of (I have showed him this: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp311476 and able to verify that the settings have been followed).

Any comment is welcome. Thanks.

ACS 4.2 - External DB Password Expiry not working as expected