So this is more of a Router configuration issue then it is a ACS(TACACS) issue?  Do you have any sample config for a router that I can test, or any documentatin that I can look at.  I a mnot to familier with how that piece works.

Thanks

The name of the feature you're looking for is "password expiry" and uses MS-CHAPv2

That's why the AAA Client (in your case, router), the AAA protocol (I'm guessing you're using TACACS), the AAA server (ACS 5.1), your Active Directory server, all of them must support MS-CHAPv2.

Sadly, I don't know if TACACS+ supports MS-CHAPv2 authentication. I know that Cisco Routers with RADIUS do support MS-CHAPv2 authentication for VPNs, (beginning IOS 12.4(6)T ) but I never tested it. The command is

aaa authentication login passwd-expiry group radius

In Cisco ASA also RADIUS supports password-expiry for VPNs. The command is

tunnel-group general-attributes

  password management

By the way, I have a case opened with Cisco TAC about password-expiry between ASA and ACS 5.1, because it seems there's a bug with ACS5.1 supporting MS-CHAPv2 password-expiry. I'll keep you posted about my findings.

Sorry guys I got a bit busy and was not able to dig any more into this.

So are you saying that if I use TACACS+ to allow admin access to my Cisco Routers, if I use AD to authenticate there ID's and Passwords (no local ACS accounts) it will not allow me to alert them when there PW is about or has expired?

Everything works perfectly right now using AD to authenticate and map AD groups to a ACS group, but it is not alerting my users when there passords are about to expire.  So there accounts can get locked up if they dont change them.

Thoughts?

Mike

I'm attempting the same thing, albeit a tiny bit differently..

I have an ASA supporting a VPN, and ACS 5.2 support TACACS, and RADIUS Authentications.

When a user is in "user must change password on next login" mode, the Login Prompt on the ASA just states that the "login failed".  It doesn't prompt the user properly to change their password.

In ACS RADIUS Authentication Logs, I see the error message "24203 User need to change password" which is good, but the ASA is not understanding the reply from the ACS.

I also have a TAC Case open for this issue.  Obviously it will be a bit different than ASA -> ACS -> AD..   but it might be the same principle with the password-expiry command.

Please update this thread if you've found an update.

Thanks

I will definetly keep you in the loop, but TAC is telling me there is no way.  Find it hard to believe this was not thougth of when 5.x was created and able to connect to AD for auth.  I am just using tacacs for admin access to Routers, Switches and ASA's, no VPN access.

Mike

I actually heard back from TAC..

With my config, there isn't a way to do it..  

I currently have users Authenticate to the VPN using RSA..   so the sequence goes  ASA -> ACS -> RSA (if user not found fall back to ACS Internal User) -> ACS..

During the process of the tunnel from ACS -> RSA, the MSChap v2 is stripped, and the ASA never gets the password change request back to the ASA initiating the connection.

I could make this work by solely using ACS for authentication, but that's not how we want things to work here.

However, to make it work with ACS, there is a command I put into the Tunnel-group area called "password-management".  I'm not sure if you can apply that to other parts of the config for device authentication or not,..  and I'm not sure if you can tie that in to AD authentication either.

Anyways, that's what I've found.

Hello Mike. could you tell your case number ? I have a similar case opened.

Sure can, the case number is: 616060259.  I was working with TAC at the end of last year, I was just able to pick back up on this, that is why I figured I would try these forums next.

Let me know if find out anything.