Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Windows Password Change Failure - ACS 3.2 and VPN 3015

Hi all,

I'm having trouble getting password changes to work with Cisco ACS 3.2, VPN 3015 and the Cisco VPN Client. I have some users configured in ACS to authenticate against or Windows Database. This works fine until their passwords expire (every 30 days). They are never presented with a change password request and the logs show 'Windows Change Password failure'.

I believe ACS is setup as specified by the documentation (with MSCHAP enabled etc).

Are there any requirements on the user account or windows side to enable this?

Thanks,

6 REPLIES
Gold

Re: Windows Password Change Failure - ACS 3.2 and VPN 3015

Hi Jason,

maybe User-Changeable Passwords could help you solve yours issue

check following link

http://www.cisco.com/en/US/products/sw/secursw/ps5338/prod_installation_guide09186a00801c2e18.html

M.

Hope that helps rate if it doeas

New Member

Re: Windows Password Change Failure - ACS 3.2 and VPN 3015

Hello,

we are having a similar issue with ACS / AD and an ASA 5540 with SSL-VPN. How can we set a password to expire every 30 days and prompt the user to change it 10 days prior to that. In my view the UCP solution is only useful if a password is not set to expire and the use wants to change it.

Thanks.

-Markus

New Member

Re: Windows Password Change Failure - ACS 3.2 and VPN 3015

I am in the same boat as you Markus - only ipsec VPN is more critical for me. I have ACS set up to pass the password expiration, but it does not seem to work.

New Member

Re: Windows Password Change Failure - ACS 3.2 and VPN 3015

After some more testing it turns out that UCP (User Changeable Password) only supports the built-in ACS database and no external like LDAP or AD. Hope this will change in future versions.

Regards,

-Markus

Bronze

Re: Windows Password Change Failure - ACS 3.2 and VPN 3015

We ran into a similar issue. The fix we implemented was to have the VPN client run on start-up on the laptop. The scenario is that the laptop boots up...comes to a Windows login with the VPN client in the bottom left. User authenticates to VPN FIRST, then enters in their AD credentials to the Windows login box. If the password is expiring soon, the already authenticated user is prompted to change their password. Likely not the best fix as the user must login twice but it's how we got around the issue.

-Mike

http://cs-mars.blogspot.com

Cisco Employee

Re: Windows Password Change Failure - ACS 3.2 and VPN 3015

For password change to work via 3015 and Acs we need the following :-

1. Radius with expiry selected in 3015 Groups

2. In ACS->External Db->Windows Config, we need to select "Allow password change using mschap and mschapv2".

194
Views
0
Helpful
6
Replies
CreatePlease login to create content