cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1798
Views
0
Helpful
5
Replies

Can't get password expiry to work - ASA 5520 VPN and Active Directory

vmagnanijr
Level 1
Level 1

Hi - I'm replacing an old VPN 3000 series concentrator with a 5520, and one of the main reason is so that we can have AD passwords expire.  I've gotten to the point where I login successfully, and if I set the AD account to "Change password on next logon", the VPN client prompts me to enter a new password.  But when I do it simply says "Authentication Failed" and I'm back at the client login window.  In the log I get this message:

AAA user authentication Rejected : reason = LDAP server is unwilling to modify password : server = x.x.x.x : user = me.test

I haven't been able to find anything that matches that reason for failure.  Hoping someone can help.

I did try to login and change password without going through VPN, and that works fine.  So - login through VPN is fine, change password when not going through VPN is fine, but trying to change password through VPN isn't working.  I've been stuck here for awhile.  Any help or guidance is greatly appreciated.  Thanks much.

Victor Magnani

College of Staten Island, CUNY

5 Replies 5

mulatif
Cisco Employee
Cisco Employee

You are using ldap-over-ssl to connect ASA to the AD ? This is a requirement.

If yes, then Is the LDAP Binding account atleast a member of  "Account Operator" group ? Perhaps make it a member of the Administrator group for testing.

Thanks,

Naman

Hi - thanks for the response.  I didn't know that LDAP-over-SSL was a requirement.  I don't have that running.  Since setting up CA server qill require a reboot I'll have to wait till this weekend to make the change.  I'll let you know how I make out.

Victor

Hi..

You don't need a CA server on the same AD Server to have SSL enabled on the Windows AD Server.

See this from Microsoft

http://support.microsoft.com/kb/321051

After you have completed the above part then in ASA you need to configure "ldap-over-ssl enable" in the "aaa-server" group that you defined for LDAP.

Naman

Sorry I didn't respond sooner - that did the trick, thanks!

Victor

Great...Glad it worked..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: