Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Users VPN with ACS 5.3

Hi Experts

i  have ACS Appliance 5.3 , I have configured VPN Users to be  authenticated against the ACS internal database,but when i mark the  check box "change password on next login" than the vpn user unable to  connect using vpn client software ! pls can anybody come across this  issue?what is the solution let the vpn user change its own password and  login successfully ,BTW on ACS 4.1 it works perfectly , VPN Users Can change password in the next login

thanks

Jamil

10 REPLIES
Cisco Employee

Users VPN with ACS 5.3

Jamil,

There are a few things involved with the password change:

1] ACS should be configured to expire the password at next logon -- which you have done.

2] Under the ACS 5.3 Access Policy > Default Network Access (or your own service) > Allowed Protocol > MsChap v2 must be enabled.

3] VPN gateway (ASA) should have the password expiry or password management enabled for the tunnel group that the user is connecting to, this way the VPN gateway will be able to send the password in MsCHAP and then understand the Ms-CHAP error (to change the password) that will be sent by the ACS 5.3.

A quick way to test if the password expiry /management is enabled on the tunnel group is, to see if you are getting an additional text box of domain name, along with user and password text boxes on the VPN client during x-auth.

Regards,

Dev

Community Member

Users VPN with ACS 5.3

Hi Dev

can u pls elaborate on point 3)

pls be noted on acs 4.1 it works perfectly

Thanks

Jamil

Cisco Employee

Users VPN with ACS 5.3

Jamil,

The point 3 is more related if you are using Cisco's ASA as your VPN head-end/server. So please let me know what is the VPN server that you are using. Then I can explain the point in a better way.

Regards,

Dev

Community Member

Users VPN with ACS 5.3

Hi Dev!

yes the vpn gateway is asa 5510 running 8.2 code

also pls post config for the point 3 if any,

thanks

jamil

Cisco Employee

Users VPN with ACS 5.3

For the password change to work, ASA should be configured to allow/understand the password change request sent from ACS 5.3. The way we enable it on the ASA is:

hostname(config)# tunnel-group tunnel_group_name type remote-access

hostname(config-tunnel-general)# password-management

When you configure the password-management command, the ASA notifies the remote user at login that the user's  current password is about to expire or has expired. The ASA then offers  the user the opportunity to change the password. If the current password  has not yet expired, the user can still log in using that password. The  ASA ignores this command if RADIUS or LDAP authentication has not been  configured.

Note that this does not change the number of days before the password  expires, but rather, the number of days ahead of expiration that the ASA  starts warning the user that the password is about to expire.

Regards,

Dev

Community Member

Users VPN with ACS 5.3

Hi Dev

in acs 4.1 for windows it works perfectly without asa config alteration, why with acs 5.3 we should configure the command u mentioned above to let it works?

i will try it and keep u posted

thanks a lot for ur help

Jamil

Cisco Employee

Re: Users VPN with ACS 5.3

Jamil, I can understand your reasoning. Lets dive a bit deeper into this. Please share the following information with me:

-show tech from asa

-debug output from asa 1] when connecting thru ACS 4.x and 2] when connecting thru ACS 5.x

Debug radius

Debug aaa common 255

-Screenshot of ACS 5.x > Monitoring Reports > AAA Protocol > Radius Authentication >

Regards,

Dev

Community Member

Users VPN with ACS 5.3

Hi Dev

it works fine,but in the user VPN client software another filed appear name domain beside username password,this confuse a bit the VPN Users.is there any command to to let the domain disappear for the VPN Client software

Appreciate ur help

Jamil

Cisco Employee

Re: Users VPN with ACS 5.3

Hi Jamil,

As mentioned in one of my earlier post, another field will appear for Domain, and the reason is, you are turning on mschap on the ASA for authentication which by default has provision for AD Domain. At present there is no way to disable that extra field.

The best way is, to educate the users to ignore it. L

Regards,

Dev

Community Member

Users VPN with ACS 5.3

thanks Dev

1152
Views
33
Helpful
10
Replies
CreatePlease to create content