VPN Client Password Expiry Issue (ASA & Active Directory)
VPN Client Password Expiry issue.
ASA 5510 running 8.2(1) image
Cisco VPN Client 5.0.01.0600
Windows Active Directory server 2003
I am currently having issues with the password expiry feature within remote connections authenticating with the Active Directory server.
The Secure LDAP connection is configured and working with user authenticating with Active Directory and getting the correct dynamic policy based on the AD group Membership.
If I set the ‘Users must Change password at next login’ flag on the Active directory user account, the remote user is prompted to enter a new password at the first login as expected. I have entered the ‘Password management’ command on the ASA profile to achieve this, however I was also expecting to get a warning message telling the users ‘Password will expire in n days’ this does not occur.
I have set up an account that has the password due to expire in 12 days, logged into a local windows system to ensure the message is definitely being displayed and the password is set to time out, I have also set ‘password-management password-expire-in-days 14’ (have tried other values) on the ASA. However the ASA log states the password has expired and aborts the connection.
What do I need to do to get this warning message to the end-remote user.
I have upgraded to version 8.2(2) and am still experiencing the same problem.
I have an account with a password expirying in 10 days, if I set the 'Password Management' on the ASA to anything less than 10 days the user is allowed access, however if I set it to 10 days or more there are no expiry warning messages and the user is denied access, the ASA log shows the password expirying.
5|Apr 19 2010|10:28:06|713904|||||IP = 192.168.20.102, Received encrypted packet with no matching SA, dropping 3|Apr 19 2010|10:28:06|713194|||||Group = LDAP-RAS-ACCESS, Username = me, IP = 192.168.20.102, Sending IKE Delete With Reason message: No Reason Provided. 3|Apr 19 2010|10:28:06|713048|||||Group = LDAP-RAS-ACCESS, Username = me, IP = 192.168.20.102, Error processing payload: Payload ID: 14 6|Apr 19 2010|10:28:06|725007|10.20.10.14|22452|||SSL session with server inside:10.20.10.14/22452 terminated. 6|Apr 19 2010|10:28:06|113005|||||AAA user authentication Rejected : reason = Password is expiring : server = B-ACS-LDAP-SERVER : user = me 6|Apr 19 2010|10:28:06|725002|10.20.10.14|22452|||Device completed SSL handshake with server inside:10.20.10.14/22452 6|Apr 19 2010|10:28:06|725005|10.20.10.14|22452|||SSL server inside:10.20.10.14/22452 requesting our device certificate for authentication. 6|Apr 19 2010|10:28:06|725001|10.20.10.14|22452|||Starting SSL handshake with server inside:10.20.10.14/22452 for TLSv1 session.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...