Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Paasword Management AnyConnect->ASA5510->ACS5.3->ActiveDirectory

Hello,

I've got the above listed Szenario.

Now I've tested the PasswordManagement by configuering the User, that he must change the Password at next Logon (did this on the DomainController)

So now when I connect with AnyConnect, I enter the old PW, then I'm forced to change the PW, and next I get the Message: Access denied.

In ACS I see 3 messages:


24407 User authentication against Active Directory failed since user is required to change his password

24463 Internal error in the ACS Active Directory

24408 User authentication against Active Directory failed since user has entered the wrong password

next Time I try to connect with the new PW, i get Access, but it's not very comfortable for the Users.

Is this the usual Behaviour, or is there something wrong?

Thank You!

P.S. Domain Controller is MS Win 2003

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Paasword Management AnyConnect->ASA5510->ACS5.3->ActiveDirectory

I think this may relate to following CDETS on AnyConnect

CSCua41458: AC password change: two conversations, 1st is dropped

It is newly opened and do not ye have further analysis / input

4 REPLIES
Cisco Employee

Paasword Management AnyConnect->ASA5510->ACS5.3->ActiveDirectory

Actually, when the option of "force user to change password at next login" is selected in AD, and you do VPN authentication,this will be like password has expired and it has to be changed this time. That's why the ACS report will show "24407 User authentication against Active Directory failed since user is required to change his password".

Since we are using radius so qn the ASA, you have to enable password management for the tunnel-group the

VPN user uses to login:

ASA(config)# tunnel-group general-attributes

ASA(config-tunnel-general)# password-management

So basically, when you select 'change password at next login' on AD, 'enable password change' on ACS, and enable 'password-management' on ASA, and a user tries to login, the first response sent by the ACS to ASA would be 'access reject'. The ACS report would show '24407 User authentication against Active Directory failed since user is required to change his password'. Immediately after this, the VPN user would get a prompt to change his password. Finally, ACS will send an 'access accept' reply. So, for this request, 2 ACS logs would be created- one for access reject and another for access accept.

Hope this helps.

-Jatin

Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

Paasword Management AnyConnect->ASA5510->ACS5.3->ActiveDirectory

Hello Jatin,

thank you for your response. I've everything configured as you explained.

So the devices working as designed, I'm not concerned about the messages in ACS, the only thing I dislike, is the Prompt on the Client-PC after changing password, that "access is denied" and the User has to type the new PW again. I'm afraid of too many Calls to the Hotline, you understand ;-) ?

So there is no malfunction in this scenario, right?

Karl

Cisco Employee

Paasword Management AnyConnect->ASA5510->ACS5.3->ActiveDirectory

I think this may relate to following CDETS on AnyConnect

CSCua41458: AC password change: two conversations, 1st is dropped

It is newly opened and do not ye have further analysis / input

New Member

Paasword Management AnyConnect->ASA5510->ACS5.3->ActiveDirectory

Thank you,

Version is

anyconnect-win-3.0.07059-k9.pkg

hope it will be fixed soon.

1303
Views
0
Helpful
4
Replies