Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
992
Views
5
Helpful
3
Replies

ACS Password Policy

Go to solution
michaelhorv11
Level 1
Level 1

‎03-04-2016 09:04 AM - edited ‎03-10-2019 11:32 PM

My company would like to replace the existing LDAP servers with Cisco ACS.  One requirement of our VPN security policy is that the user must change their VPN account password prior to their first log in.  If the user tries to connect to the VPN without changing their password, then they are denied access.

Is there a rule in ACS that can achieve this goal?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
David Castro F.
Spotlight
Spotlight
In response to michaelhorv11

‎03-07-2016 10:10 AM

Hello Michael,

Yes, there is a way to change the password, you will need to define "password-management" under the tunnel group that you created for this connection with the AAA server that will authenticate users, please take into account the following information:

ACS can be configured to check the users in an AD database. Password expiry and change is supported when Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) is used;

On an ASA, you can use the password management feature, as described in the next section, in order to force the ASA to use MSCHAPv2. ACS uses the Common Internet File System (CIFS) Distributed Computing Environment/Remote Procedure Call (DCE/RPC) call when it contacts the Domain Controller (DC) directory in order to change the password.

ASA can use both the RADIUS and TACACS+ protocols in order to contact with the ACS for an AD password change, the command:

ASA(config)# tunnel-group general-attributes

ASA(config-tunnel-general)# password-management

For further information, on PAP and MSCHAP along with radius, you may find it here:

  http://www.cisco.com/c/en/us/support/docs/network-management/remote-access/116757-config-asa-remote-00.pdf

Please proceed to rate this post and the previous one and mark it as correct, keep me posted if something comes up!

Regards,

David Castro,

View solution in original post

3 Replies 3

Go to solution
David Castro F.
Spotlight
Spotlight

‎03-04-2016 03:31 PM

Hi Michael,

You can reset the password this way:

Resetting Another Administrator’s Password

To reset another administrator’s password:

*Step 1 Choose System Administration > Administrators > Accounts.

The Accounts page appears with a list of administrator accounts.

*Step 2 Check the check box next to the administrator account for which you want to change the password and click Change Password.

The Authentication Information page appears, listing the date when the administrator’s password was last changed.

*Step 3 In the Password field, enter a new administrator password.

*Step 4 In the Confirm Password field, re-enter the new administrator password.

*Step 5 Check the Change password on next login check box for the other administrator to change password at first login.

*Step 6 Click Submit.

The administrator password is reset. 

¿Which Type of Remote Access VPN are you using Anyconnect or VPN client IPsec?

Please rate and mark as correct the this post if it helped you! Keep me posted

David Castro,

0 Helpful

Go to solution
michaelhorv11
Level 1
Level 1
In response to David Castro F.

‎03-07-2016 07:41 AM

I appreciate your response.  The users will be connecting to the VPN via AnyConnect. For the AnyConnect users, is there an option to force them to change their password upon first login?  

0 Helpful

Go to solution
David Castro F.
Spotlight
Spotlight
In response to michaelhorv11

‎03-07-2016 10:10 AM

Hello Michael,

Yes, there is a way to change the password, you will need to define "password-management" under the tunnel group that you created for this connection with the AAA server that will authenticate users, please take into account the following information:

ACS can be configured to check the users in an AD database. Password expiry and change is supported when Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) is used;

On an ASA, you can use the password management feature, as described in the next section, in order to force the ASA to use MSCHAPv2. ACS uses the Common Internet File System (CIFS) Distributed Computing Environment/Remote Procedure Call (DCE/RPC) call when it contacts the Domain Controller (DC) directory in order to change the password.

ASA can use both the RADIUS and TACACS+ protocols in order to contact with the ACS for an AD password change, the command:

ASA(config)# tunnel-group general-attributes

ASA(config-tunnel-general)# password-management

For further information, on PAP and MSCHAP along with radius, you may find it here:

  http://www.cisco.com/c/en/us/support/docs/network-management/remote-access/116757-config-asa-remote-00.pdf

Please proceed to rate this post and the previous one and mark it as correct, keep me posted if something comes up!

Regards,

David Castro,

Customers Also Viewed These Support Documents