Actually, when the option of "force user to change password at next login" is selected in AD, and you do VPN authentication,this will be like password has expired and it has to be changed this time. That's why the ACS report will show "24407 User authentication against Active Directory failed since user is required to change his password".
Since we are using radius so qn the ASA, you have to enable password management for the tunnel-group the
VPN user uses to login:
ASA(config)# tunnel-group general-attributes
So basically, when you select 'change password at next login' on AD, 'enable password change' on ACS, and enable 'password-management' on ASA, and a user tries to login, the first response sent by the ACS to ASA would be 'access reject'. The ACS report would show '24407 User authentication against Active Directory failed since user is required to change his password'. Immediately after this, the VPN user would get a prompt to change his password. Finally, ACS will send an 'access accept' reply. So, for this request, 2 ACS logs would be created- one for access reject and another for access accept.
thank you for your response. I've everything configured as you explained.
So the devices working as designed, I'm not concerned about the messages in ACS, the only thing I dislike, is the Prompt on the Client-PC after changing password, that "access is denied" and the User has to type the new PW again. I'm afraid of too many Calls to the Hotline, you understand ;-) ?
So there is no malfunction in this scenario, right?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...