I need to force the Cisco VPN client to change his password on first login. In my setup I have the vpn client username locally created in a Cisco ACS 4.1 Database and we are stablishing the VPN Remote Access tunnel to a ASA5510 version 8.2.
So in ACS I went to password aging rules and clicked the Passsword expires on first login, then I tried to login and connect but then authentication failed with no pop up window to force the customer to change his password. When I see the ACS logs I can see that the password has expired, but I'm never asked to change the password on the vpn client.
I also have the password-management (previously radius-with-expiry) option enabled on the tunnel-group general attributes of the ASA5510.
So how can I enable the user to change his password and show pop-up window for him to change it?
Going through your post, I noticed that you have "password-management" enabled under the concern tunnel-group to use password expiry feature for VPN clients.
The command is correct beacuse radius-with-expiry was deprecated from 7.1.1. The password-management command replaces it. The no form of the radius-with-expiry command is no longer supported.
Since you have user created on cisco ACS (radius server) this will not work with password aging feature.It will only work if user is on Windows database. The password policy should only be configured on the windows user database.
For VPN users, if we are using radius with expiry/ radius (proxy to AD) and ACS using Active Directory as the back end database, we cannot send any warning messages to the end client about the days remaining for their password to expire. The password expiry will happen through ACS, when the change is required, and it is only at that moment user will be prompted to change the password. But users won’t get the any pre-warning messages.
You have to use windows database if you want to use ACS as a radius server OR you can use direct LDAP database bypassing the ACS. With LDAP, you can also get warning message that password will be expired in N number of days unlike radius.
If we are using ASA/PIX version 7.2 or above and if you want that warming message to appear, then you can try configuring ASA for LDAP authentication rather than RADIUS authentication. And for LDAP authentication, you would be required to configure the firewall appropriately and then make use of password-expiry feature on ASA
Configuring Microsoft Active Directory Settings for Password Management:
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...