Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
444
Views
0
Helpful
5
Replies

Enable Win2K password changes for 3DES VPN Clients

insightexpress
Level 1
Level 1

‎11-15-2002 01:44 PM - edited ‎02-21-2020 12:10 PM

Hello,

We're going to be implementing a password expiration policy and need VPN clients to be able to change them remotely. Currently we are using 3DES encryption with Windows 2000 authentication. When we change the Win2k account to "User must change pwd at next logon" they can no longer connct and are never presented with an option to change their password.

Is there any way to do this? Any input is appreciated.

Jim Carbone

Labels:
0 Helpful
5 Replies 5

insightexpress
Level 1
Level 1

‎11-15-2002 01:51 PM

I forgot to mention we are using a 3005 VPN Concentrator running ver. 3.5.3.A

Thanks again -

Jim Carbone

0 Helpful

doswald68
Level 1
Level 1
In response to insightexpress

‎11-18-2002 05:12 AM

We have the same issue !!!, All the responses I have recieved from Cisco is no that is not an option.

0 Helpful

travis-dennis_2
Level 7
Level 7
In response to doswald68

‎11-18-2002 06:06 AM

Are you guys trying to change the password for users with the software client? If so, I have had success with having the user activate the "start before logon" activitythat launches the VPN client efore they log on to the PC. They connect, authenticate to the 3005 then are prompted to log into the Windows 2000 domain. This way they are actually logging into the domain instead of loggin in locally using cached credentials and they would not be able to change the passwords like that. w2k gets nuts when you try to do this. I am also using 3002s in Network extension mode and have no problems with password changes.

0 Helpful

doswald68
Level 1
Level 1
In response to travis-dennis_2

‎11-18-2002 06:34 AM

I have not tried that but it presents some issues for us.

1.Multible logons for the same user ( management wants one logon otherwise it is confusing for them )

2. Multiple databases to maintain.

3. People can logon to the Network without authenticating to the domain, thus every time someone leaves the company I have to change the Group password.

Maybe I am missing some other way to configure the concentrator, but I have tested this in multiple ways and the best way for us is to require users to authenticate to both the concentrator and the domain at the same time, thus if one or the other authentication fails they do not get connected. I also have issue with the fact that we cannot run our logon scripts when users logon.

Thoughts ?

0 Helpful

travis-dennis_2
Level 7
Level 7
In response to doswald68

‎11-23-2002 07:10 PM

To clarify what I am doing, I have a 3005 at the central site, 3002s at the remote sites using Network Extension Mode and a w2k AD Domain. The users at the remote sites have PCs that belong to the domain. They log on and off just as if they were local. One log on and they are connected to the domain. No need for multiple logons. SInce I am running in Network Extension mode users can change their passwords just like local since Network Extension Mode does pretty much what it is called..extends the network. When you delete a users acount that user can no longer log onto a PC and hence, no network access. For the truly security minded you can also use Xauth to further protect network resources. I have also had success with doing this with the software client but they HAVE to use "Start before Logon" and establish the tunnel BEFORE they log onto the PC.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents