Can't get password expiry to work - ASA 5520 VPN and Active Directory
Hi - I'm replacing an old VPN 3000 series concentrator with a 5520, and one of the main reason is so that we can have AD passwords expire. I've gotten to the point where I login successfully, and if I set the AD account to "Change password on next logon", the VPN client prompts me to enter a new password. But when I do it simply says "Authentication Failed" and I'm back at the client login window. In the log I get this message:
AAA user authentication Rejected : reason = LDAP server is unwilling to modify password : server = x.x.x.x : user = me.test
I haven't been able to find anything that matches that reason for failure. Hoping someone can help.
I did try to login and change password without going through VPN, and that works fine. So - login through VPN is fine, change password when not going through VPN is fine, but trying to change password through VPN isn't working. I've been stuck here for awhile. Any help or guidance is greatly appreciated. Thanks much.
Re: Can't get password expiry to work - ASA 5520 VPN and Active
Hi - thanks for the response. I didn't know that LDAP-over-SSL was a requirement. I don't have that running. Since setting up CA server qill require a reboot I'll have to wait till this weekend to make the change. I'll let you know how I make out.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...