Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN and Windows AD password

My employer has implement a AD group policy to force password changes every 3 months. This causes a problem as when a road warrior connects via VPN and then tries to access his email or a network share it does not allow him to as he had already logged into his laptop with his old password and AD only prompts you to change your password on login.

Can anyone tell me how they handle this situation.

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: VPN and Windows AD password

Open your existing remote access policy. Select "Edit Profile". Select the "Authentication" tab. Check MSCHAP V2 and check "user can change password after it expires".

Also, on the radius client properties for the ASA, the Client-Vendor needs to be Microsoft.

After you've set it all up you can test it by setting a user to must change password at next logon. If you've done it all right, the vpn client will now ask for username, password and domain. You can either enter the domain or leave it blank. The user should then be prompted to enter a new PIN/password.

If it doesn't work, check your event viewer on the ias server under system. Check the IAS events for errors.

11 REPLIES
Green

Re: VPN and Windows AD password

What device is terminating the vpn?

It is possible to change your password via the vpn client when it has expired. This is available in pix and asa.

New Member

Re: VPN and Windows AD password

I am using a PIX 515 running IOS 7.1.2.

What I did was force authentication through a IAS radius server which looks to AD to see if the users are a member of a AD group.

I have found people using ASDM. Is this better or can I use it in conjunction with my Radius server?

Thanks.

Green

Re: VPN and Windows AD password

This is the command you are looking for.

password-management

http://cisco.com/en/US/docs/security/asa/asa71/command/reference/p_711.html#wp1643267

Once enabled on the firewall all you have to do is make sure you are allowing mschap v2 in your remote access policy on IAS server.

When the user connects to the vpn and their password has expired, it will prompt them to change their password.

hostname(config)# tunnel-group group-name general-attributes

hostname(config-tunnel-general)# password-management

edit: There is also a checkbox in the remote access policy in IAS to "allow user to change password after it expires"...check it.

New Member

Re: VPN and Windows AD password

Thanks a lot for your help.

Which Policy do I have to create in order to see the "allow user to change password after it expires" check box. I only have a "Date and Time Restriction" and "Windows Group" policies.

Thanks.

Green

Re: VPN and Windows AD password

Open your existing remote access policy. Select "Edit Profile". Select the "Authentication" tab. Check MSCHAP V2 and check "user can change password after it expires".

Also, on the radius client properties for the ASA, the Client-Vendor needs to be Microsoft.

After you've set it all up you can test it by setting a user to must change password at next logon. If you've done it all right, the vpn client will now ask for username, password and domain. You can either enter the domain or leave it blank. The user should then be prompted to enter a new PIN/password.

If it doesn't work, check your event viewer on the ias server under system. Check the IAS events for errors.

New Member

Re: VPN and Windows AD password

Thanks acomiskey, that worked.

You are a great asset to this forum.

Green

Re: VPN and Windows AD password

Good deal! Glad it worked.

New Member

Re: VPN and Windows AD password

I appreciate your posts but I am having an issue with this setup. Once I enable password management I am no longer able to login. I followed all your suggestion, which are great, but is there anything else you can think of to try.

Green

Re: VPN and Windows AD password

Michael,

Need a little more info to help you. Are you using IAS? Have you looked at the logs on the IAS server in the Event Viewer?

New Member

Re: VPN and Windows AD password

I appreciate you getting back but the problem has been solved. It seems that IAS was hung an not answering request. I do want to thank you for posting the IAS instructions, they were very helpfule

New Member

Re: VPN and Windows AD password

Will this solution also work for the different SSL VPN implementations? I think I see how it might work with AnyConnect, but not sure how it would work with a clientless VPN. My customer wants to set up a clientless VPN solution using AD authentication, however most of the users are not MS office users where they would typically be prompted for password changes. Thanks.

392
Views
15
Helpful
11
Replies
CreatePlease to create content