ASA for Remote Access on Apple Devices

a-whitehurst · ‎09-03-2013

We are using Apple devices for connction to the ASA for remote access. The authentication is LDAP, everything but password changes on expiration is working. What step am i missing? We have another set of firewalls for other remote access users authenticating against LDAP and the users are able to change their password. We are using MS AD with LDAP over SSL, below is hte system version and the a version of the config:

System image file is "disk0:/asa912-smp-k8.bin"

!

aaa-server LDAP_SRV_GRP (inside) host XX.XX.XX.XX

server-port 636

ldap-base-dn DC=<domain>,DC=<suffix>

ldap-group-base-dn CN=<name>,OU=<group>,DC=<domain>,DC=<suffix>

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password <password>

ldap-login-dn CN=<user>,OU=<where located>,DC=<domain>,DC=<suffix>

ldap-over-ssl enable

server-type microsoft

!

tunnel-group <tunnel-name> general-attributes

address-pool DHCP_Pool-<eligible IP Addresses>

authentication-server-group LDAP_SRV_GRP

default-group-policy <tunnel-name>

password-management

Jeet Kumar · ‎09-03-2013

Hi Adrian,

Please try this and let me know if it helps:

tunnel-group general-attributes

password-management password-expire-in-days X

(x is the number of days here)

Thanks

Jeet Kumar

a-whitehurst · ‎09-03-2013

Hi Jeet,

I entered the above command to expire in 7 days and it did not work, then changed it to 0 days and it did not work. in AD i have the account set to change the password upon login, have I missed the window here for this one? Our typical password expiration is 60 days so the only way i could think to actively test was to set it to be changed upon login

~ Adrian

Jeet Kumar · ‎09-03-2013

Hi Adrian,

I will do a quick test today and will let you know.

Thanks

Jeet Kumar