Solved: Re: VPN and Windows AD password

boschrexroth · ‎01-15-2008

My employer has implement a AD group policy to force password changes every 3 months. This causes a problem as when a road warrior connects via VPN and then tries to access his email or a network share it does not allow him to as he had already logged into his laptop with his old password and AD only prompts you to change your password on login.

Can anyone tell me how they handle this situation.

Thanks in advance.

acomiskey · ‎01-15-2008

Open your existing remote access policy. Select "Edit Profile". Select the "Authentication" tab. Check MSCHAP V2 and check "user can change password after it expires".

Also, on the radius client properties for the ASA, the Client-Vendor needs to be Microsoft.

After you've set it all up you can test it by setting a user to must change password at next logon. If you've done it all right, the vpn client will now ask for username, password and domain. You can either enter the domain or leave it blank. The user should then be prompted to enter a new PIN/password.

If it doesn't work, check your event viewer on the ias server under system. Check the IAS events for errors.

View solution in original post

acomiskey · ‎01-15-2008

What device is terminating the vpn?

It is possible to change your password via the vpn client when it has expired. This is available in pix and asa.

boschrexroth · ‎01-15-2008

I am using a PIX 515 running IOS 7.1.2.

What I did was force authentication through a IAS radius server which looks to AD to see if the users are a member of a AD group.

I have found people using ASDM. Is this better or can I use it in conjunction with my Radius server?

Thanks.

acomiskey · ‎01-15-2008

This is the command you are looking for.

password-management

http://cisco.com/en/US/docs/security/asa/asa71/command/reference/p_711.html#wp1643267

Once enabled on the firewall all you have to do is make sure you are allowing mschap v2 in your remote access policy on IAS server.

When the user connects to the vpn and their password has expired, it will prompt them to change their password.

hostname(config)# tunnel-group group-name general-attributes

hostname(config-tunnel-general)# password-management

edit: There is also a checkbox in the remote access policy in IAS to "allow user to change password after it expires"...check it.

boschrexroth · ‎01-15-2008

Thanks a lot for your help.

Which Policy do I have to create in order to see the "allow user to change password after it expires" check box. I only have a "Date and Time Restriction" and "Windows Group" policies.

Thanks.

acomiskey · ‎01-15-2008

Open your existing remote access policy. Select "Edit Profile". Select the "Authentication" tab. Check MSCHAP V2 and check "user can change password after it expires".

Also, on the radius client properties for the ASA, the Client-Vendor needs to be Microsoft.

After you've set it all up you can test it by setting a user to must change password at next logon. If you've done it all right, the vpn client will now ask for username, password and domain. You can either enter the domain or leave it blank. The user should then be prompted to enter a new PIN/password.

If it doesn't work, check your event viewer on the ias server under system. Check the IAS events for errors.

boschrexroth · ‎01-15-2008

Thanks acomiskey, that worked.

You are a great asset to this forum.

acomiskey · ‎01-15-2008

Good deal! Glad it worked.

Michael.Tuggle · ‎05-22-2008

I appreciate your posts but I am having an issue with this setup. Once I enable password management I am no longer able to login. I followed all your suggestion, which are great, but is there anything else you can think of to try.

acomiskey · ‎05-27-2008

Michael,

Need a little more info to help you. Are you using IAS? Have you looked at the logs on the IAS server in the Event Viewer?

Michael.Tuggle · ‎05-28-2008

I appreciate you getting back but the problem has been solved. It seems that IAS was hung an not answering request. I do want to thank you for posting the IAS instructions, they were very helpfule

kbyrd · ‎07-29-2008

Will this solution also work for the different SSL VPN implementations? I think I see how it might work with AnyConnect, but not sure how it would work with a clientless VPN. My customer wants to set up a clientless VPN solution using AD authentication, however most of the users are not MS office users where they would typically be prompted for password changes. Thanks.