i have ACS Appliance 5.3 , I have configured VPN Users to be authenticated against the ACS internal database,but when i mark the check box "change password on next login" than the vpn user unable to connect using vpn client software ! pls can anybody come across this issue?what is the solution let the vpn user change its own password and login successfully ,BTW on ACS 4.1 it works perfectly , VPN Users Can change password in the next login
There are a few things involved with the password change:
1] ACS should be configured to expire the password at next logon -- which you have done.
2] Under the ACS 5.3 Access Policy > Default Network Access (or your own service) > Allowed Protocol > MsChap v2 must be enabled.
3] VPN gateway (ASA) should have the password expiry or password management enabled for the tunnel group that the user is connecting to, this way the VPN gateway will be able to send the password in MsCHAP and then understand the Ms-CHAP error (to change the password) that will be sent by the ACS 5.3.
A quick way to test if the password expiry /management is enabled on the tunnel group is, to see if you are getting an additional text box of domain name, along with user and password text boxes on the VPN client during x-auth.
The point 3 is more related if you are using Cisco's ASA as your VPN head-end/server. So please let me know what is the VPN server that you are using. Then I can explain the point in a better way.
For the password change to work, ASA should be configured to allow/understand the password change request sent from ACS 5.3. The way we enable it on the ASA is:
hostname(config)# tunnel-group tunnel_group_name type remote-access
When you configure the password-management command, the ASA notifies the remote user at login that the user's current password is about to expire or has expired. The ASA then offers the user the opportunity to change the password. If the current password has not yet expired, the user can still log in using that password. The ASA ignores this command if RADIUS or LDAP authentication has not been configured.
Note that this does not change the number of days before the password expires, but rather, the number of days ahead of expiration that the ASA starts warning the user that the password is about to expire.
in acs 4.1 for windows it works perfectly without asa config alteration, why with acs 5.3 we should configure the command u mentioned above to let it works?
i will try it and keep u posted
thanks a lot for ur help
Jamil, I can understand your reasoning. Lets dive a bit deeper into this. Please share the following information with me:
-show tech from asa
-debug output from asa 1] when connecting thru ACS 4.x and 2] when connecting thru ACS 5.x
Debug aaa common 255
-Screenshot of ACS 5.x > Monitoring Reports > AAA Protocol > Radius Authentication >
it works fine,but in the user VPN client software another filed appear name domain beside username password,this confuse a bit the VPN Users.is there any command to to let the domain disappear for the VPN Client software
Appreciate ur help
As mentioned in one of my earlier post, another field will appear for Domain, and the reason is, you are turning on mschap on the ASA for authentication which by default has provision for AD Domain. At present there is no way to disable that extra field.
The best way is, to educate the users to ignore it. L