We have ASA 5550, Steel-Belted Radius and Windows 2003 Active Directory. I am trying to setup so that the users can change the password when the password expires. We have over 1000 users.
I setup "password-management password-expire-in-days 14" in ASA. At the VPN client, it prompted for the User Name, Password, and Domain. I typed in the password. Then, it prompted me for a screen for the new password and confirm new password. Then, it prompted back the screen for the user name, password and domain. I typed in the new password and got the error message "413 User authentication failed". How do you setup so that the users can change password before the password expires? Any help is greatly appreciated.
To enable password management, use the password-management command in tunnel-group general-attributes configuration mode. To disable password management, use the no form of this command. To reset the number of days to the default value, use the no form of the command with the password-expire-in-days keyword specified.
If you do not specify this command, no password management occurs. If you do not specify the password-expire-in-days keyword, the default length of time to start warning before the current password expires is 14 days.
If I setup Password-Management and do not specify the password-expire-in-days in ASA, do I need to setup anything in Active Directory so that Active Directory will inform the users that their password will expire in 14 days?
If you want Active Directory users to be notified before their password expires, use this script in Windows 2003 and run it in Task Scheduler everyday. Remember to put the user email address in the Active Directory user account properties. You can amend the script to notify the user 9-6-3 days before their password expires. Be creative and add more info in the email, like the URL created in IISADMPWD so that users will know where to change their password.
If you want Active Directory users to change their password before it expires, search for IISADMPWD in Microsoft Knowledgebase. For security, you can copy the IISADMPWD files outside Windows System Directory and point the IIS home directory there. Make the page available only after the user successfully login to the VPN. You can be creative to amend the IISADMPWD files to provide information to users when they browse the page, like password difficulty, etc.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :