Re: Cisco ASA VPN password-management (change password) _WITHOUT

will · ‎02-03-2012

I am looking for a way to support change password (password-expiry), or password-management on RA vpn clients without using a single Microsoft product. I have tried to make it work with openLDAP, which doesn't work. That was the alternative since customer didn't want to run M$ LDAP (AD). So since LDAP was out, I researched Radius feature. But I am finding all links suggesting the user database must always live on a Microsoft AD controller. So the question is: Can i actually expire passwords, prompt users via vpn client and webvpn to change them and do this successfully, running no Microsoft products? Simple question!?

Marvin Rhoads · ‎02-04-2012

How about using a Cisco ACS 5.x appliance a la this example? It has lots of identity store options, including internal and RADIUS (in addition to MS AD and LDAP). See the ACS User Guide for details.

will · ‎02-06-2012

Hi Marvin, thx for reply. Yes, I was considering that, but had a few concerns/questions:

1) Does ACS really work with a standalone user DB, like that? IOW, can I avoid connecting to a backend Microsoft AD server and still get PWD change functionality. I set ACS up with AD backend in the past to make this work. Don't know if the newer version of ACS can handle PWD change on its own.

2) ACS Express product is going end of life? I like the Express product for this environment because of its lower cost. Is Cisco getting rid of this? Are they replacing it with something else?

Marvin Rhoads · ‎02-06-2012

1) I'm pretty sure it does. I haven't done it personally but the documentation I linked above describes just that functionality. I also found a thread on the net that describes another person doing it: http://boardreader.com/thread/Cisco_ACS_password_change_request_does_n_1ihX49t.html

2) I don't know about ACS Express myself but the EOL/EOS Notice says the replacement products are the ACS appliance or VM. Cisco is moving to more of the tiered license setup in a lot of their software offerings. I agree that ends up costing the smaller scale users more money. (e.g., ACS 5.3 VM Base license list price is US$11,995)

If you're not leveraging all of the ACS functions, it ends up being a pretty expensive way to manage your authentication (for example). Of course there are open source RADIUS implementations but then you might not get "fancy" features like password expiration notices.

will · ‎02-06-2012

Just finished researching some pricing and it does look like cisco is pricing themselves out of the market on this one. the entry level street pricing for a redundant pair of ACS controllers now-a-days is:

ACS VMware image option:

VMware Image License: ~$7500 x 2

Dell Server Box (to run VMware): ~$1000 x 2

Support cost: ~$2100/yr

Total: ~$19100 first year + $2100/year (software upgrades)

ACS 1121 Appliance option:

Cisco ACS 1121: ~$6000 x 2

Support cost: ~$2100+$300/yr (should be 2 x both, but I just did one)

Total: ~$14400 first year + $2400/year (software upgrades)

nobody except a super-large corporation is going to pay even $15k for VPN authentication. the VPN firewalls (ASA's) don't even cost that much! cisco marketing, are you out there: I guess you want people to start migrating authentication to a microsoft product?

Cisco ASA VPN password-management (change password) _WITHOUT_ Microsoft products