Cisco ASA VPN password-management (change password) _WITHOUT_ Microsoft products
I am looking for a way to support change password (password-expiry), or password-management on RA vpn clients without using a single Microsoft product. I have tried to make it work with openLDAP, which doesn't work. That was the alternative since customer didn't want to run M$ LDAP (AD). So since LDAP was out, I researched Radius feature. But I am finding all links suggesting the user database must always live on a Microsoft AD controller. So the question is: Can i actually expire passwords, prompt users via vpn client and webvpn to change them and do this successfully, running no Microsoft products? Simple question!?
Hi Marvin, thx for reply. Yes, I was considering that, but had a few concerns/questions:
1) Does ACS really work with a standalone user DB, like that? IOW, can I avoid connecting to a backend Microsoft AD server and still get PWD change functionality. I set ACS up with AD backend in the past to make this work. Don't know if the newer version of ACS can handle PWD change on its own.
2) ACS Express product is going end of life? I like the Express product for this environment because of its lower cost. Is Cisco getting rid of this? Are they replacing it with something else?
2) I don't know about ACS Express myself but the EOL/EOS Notice says the replacement products are the ACS appliance or VM. Cisco is moving to more of the tiered license setup in a lot of their software offerings. I agree that ends up costing the smaller scale users more money. (e.g., ACS 5.3 VM Base license list price is US$11,995)
If you're not leveraging all of the ACS functions, it ends up being a pretty expensive way to manage your authentication (for example). Of course there are open source RADIUS implementations but then you might not get "fancy" features like password expiration notices.
Just finished researching some pricing and it does look like cisco is pricing themselves out of the market on this one. the entry level street pricing for a redundant pair of ACS controllers now-a-days is:
ACS VMware image option:
VMware Image License: ~$7500 x 2
Dell Server Box (to run VMware): ~$1000 x 2
Support cost: ~$2100/yr
Total: ~$19100 first year + $2100/year (software upgrades)
ACS 1121 Appliance option:
Cisco ACS 1121: ~$6000 x 2
Support cost: ~$2100+$300/yr (should be 2 x both, but I just did one)
Total: ~$14400 first year + $2400/year (software upgrades)
nobody except a super-large corporation is going to pay even $15k for VPN authentication. the VPN firewalls (ASA's) don't even cost that much! cisco marketing, are you out there: I guess you want people to start migrating authentication to a microsoft product?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...