Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Green

ASA "password-management" command for vpn pasword alerts w/ IAS

Attempting to have users alerted of password expiration via vpn client. Also it is configured to alert users 14 days prior to actual expiration. I have added the "password-management" command for the specific tunnel-group.

I tested and was not alerted of a soon to expire password. The only difference I saw was that a "Domain" text box was given along with the usual username/password in the vpn client.

Using IAS and AD for authentication. Anyone have this working who can help out. thanks.

14 REPLIES
Green

Re: ASA "password-management" command for vpn pasword alerts w/

Update: I am prompted to change my password and am able to change my password after it has expired, but I am not alerted of an upcoming password expiration. For example my domain password expires in 11 days, I am supposed to be alerted the default 14 days before expiration.

Any ideas?

Cisco Employee

Re: ASA "password-management" command for vpn pasword alerts w/

Did you configure the feature when yu were only 11 days behind the expiry date. In that case, it would not work. It will let you change the password but will not notify for the expiration.

Also make sure, "password-expire-in-days" is not set to 0.

HTH,

-Kanishka

Green

Re: ASA "password-management" command for vpn pasword alerts w/

My password was due to expire in 11 days. I then set up the password-management command and used the default 14 days. I tested the vpn and was not notified of upcoming expiration. Isn't that the main feature of the command, asside from allowing to change the password? All the documentation says so.

Cisco Employee

Re: ASA "password-management" command for vpn pasword alerts w/

Hi,

The feature says, if the password-management is not set with the keyword "paswwrd-expire...." it will send the notification to the user 14 days before th eexpiry date.

You configured the feature, when there were only 11 days left for password expiry. Thats why it din't work.

Try the above using "password-expiry..." keyword, and set the time to something lower than 11.

This should work.

*Please rate if helped.

-Kanishka

Green

Re: ASA "password-management" command for vpn pasword alerts w/

Sorry, maybe I'm not understanding exactly. So if I set it for 5 days, I will only be alerted on the 5th day before expiration. What about the 4th day, 3rd day etc. What if I don't happen to vpn on the 5th day?

Cisco Employee

Re: ASA "password-management" command for vpn pasword alerts w/

No, the notification will start from the 14th day.

But, if you "configure" it, after the 14th day, the feature will not work.

So, if you have configured it on 15 th day, it will start notifying you from the next day and so on.

So, now, you are left with the option of trying "password-expire....." option, cuz 14th day has already passed.

HTH,

-Kanishka

Green

Re: ASA "password-management" command for vpn pasword alerts w/

Ah, got it now thanks. I'll give it a shot.

New Member

Re: ASA "password-management" command for vpn pasword alerts w/

Does anyone know how to eliminate the "Domain" option from the login window after adding "password-management"? Thanks.

New Member

Re: ASA "password-management" command for vpn pasword alerts w/

No, the domain prompt will be there. You can leave it blank if you do not need it.

Mitesh

Green

Re: ASA "password-management" command for vpn pasword alerts w/

I never did figure this out. It still does not warn users of upcoming password expiration.

Does anyone have this working? Does this take any special config in IAS/AD?

Green

Re: ASA "password-management" command for vpn pasword alerts w/

I think I found my problem. This option is valid only for LDAP servers, not radius I guess.

"password-expire-in-days"

(Optional) Indicates that the immediately following parameter specifies the number of days before the current password expires that the security appliance starts warning the user about the pending expiration. This option is valid only for LDAP servers.

New Member

Re: ASA "password-management" command for vpn pasword alerts w/

I found out the hard way that password-management is required for radius, if you want to use MS-CHAPv2.   This was in the tunnel-group attributes section.   Otherwise, we kept defaulting to PAP.  I only found out by reading a help screen on ASDM.

Cisco Employee

Re: ASA "password-management" command for vpn pasword alerts w/

To close this thread.

Password-management for VPN connection is only supported by two protocols radius and ldap. I'd also like to update you that through RADIUS using Active Directory as the back end database, we can not send any warning messages to the end client about the days remaining for their password to expire. The password expiry will happen through RADIUS, when the change is required, and it is only at that moment user will be prompted to change the password. But users won't get the any pre-warning messages. And if you want that warning message to appear, then you can try configuring ASA for LDAP authentication rather than RADIUS authentication. And that too with LDAP over SSL that can provide warning messages, not plain LDAP. And for LDAP authentication, you would be required to configure the firewall appropriately and then make use of password-expiry feature on ASA.

Command reference guide for password-management command

It supports the "password-expire-in-days" option for LDAP only.

(Please read the usage guidelines)

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/p.html#wp1879916

Please refer to following document,

Configuring LDAP Authentication with Microsoft Active Directory:

http://tools.cisco.com/squish/81752

Password-management (Refer to Step 9):

http://tools.cisco.com/squish/Be87D

In order to configure ASA to communicate over MSCHAPv2 with radius, we should have "password-management" under the tunnel-group. This change would add a new field for the end user to enter the domain-name, however, it's optional. If you leave it blank, it would use the local domain.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: ASA "password-management" command for vpn pasword alerts w/

Thanks for the follow-up Jatin; most helpful.

5383
Views
40
Helpful
14
Replies