Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Password aging with VPN Client not working

I need to force the Cisco VPN client to change his password on first login. In my setup I have the vpn client username locally created in a Cisco ACS 4.1 Database and we are stablishing the VPN Remote Access tunnel to a ASA5510 version 8.2.

So in ACS I went to password aging rules and clicked the Passsword expires on first login, then I tried to login and connect but then authentication failed with no pop up window to force the customer to change his password. When I see the ACS logs I can see that the password has expired, but I'm never asked to change the password on the vpn client.

I also have the password-management (previously radius-with-expiry) option enabled on the tunnel-group general attributes of the ASA5510.

So how can I enable the user to change his password and show pop-up window for him to change it?


Fernando Aguirre


Re: Password aging with VPN Client not working

The doc says that it is supported for LDAP only

Hope this helps.



Cisco Employee

Re: Password aging with VPN Client not working


Going through your post, I noticed that you have "password-management" enabled under the concern tunnel-group to use password expiry feature for VPN clients.

The command is correct beacuse radius-with-expiry was deprecated from 7.1.1. The password-management command replaces it. The no form of the radius-with-expiry command is no  longer supported.

Since you have user created on cisco ACS  (radius server) this will not work with password aging feature.
It will only work if user is on Windows database. The password policy should only be configured on the windows user database.

For VPN users, if we are using radius with expiry/ radius (proxy to AD) and ACS using Active Directory as the back end database, we cannot send any warning messages to the end client about the days remaining for their password to expire. The password expiry will happen through ACS, when the change is required, and it is only at that moment user will be prompted to change the password. But users won’t get the any pre-warning messages.

You have to use windows database if you want to use ACS as a radius server OR you can use direct LDAP database bypassing the ACS. With LDAP, you can also get warning message that password will be expired in N number of days unlike radius.

If we are using ASA/PIX version 7.2 or above and if you want that warming message to appear, then you can try configuring ASA for LDAP authentication rather than RADIUS authentication. And for LDAP authentication, you would be required to configure the firewall appropriately and then make use of password-expiry feature on ASA

Configuring Microsoft Active Directory Settings for Password Management:

Configuring IPSec Remote-Access Connection Profile General Attributes (refer to Step 9):

Do let me know if you need any further assistance on this.



Pls rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**