10-13-2009 05:54 AM
I'm using an ASA 5510 with local user authentication for VPN access. Is there a method that I can use to prompt for user password changes after a given time? If not with local accounts, what other authentication methods may be available to prompt users for password changes and provide them with that capability?
My clients are using AnyConnect 2.3.2016 and the ASA is v 8.0(4)
Thanks,
Ken
10-13-2009 01:10 PM
Ken-
Local passwords never expire so there is no way to force password changes using the local database. The good news is that it can be done using a AAA server like Cisco ACS. It can also map back to your domain or LDAP realms and use those user names & passwords!
http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html
Hope that helps.
10-13-2009 01:14 PM
Thanks for the response. I kind of thought that was going to be the case. Do you know of any security concerns that would lean a person one way or the other regarding radius vs ldap?
Thanks again
10-13-2009 01:25 PM
I would lean towards TACACs if you can. It encrypts the AAA packets whereas RADIUS creates a hash of them.
10-14-2009 04:53 AM
I'll look into it!
Thanks again for your response.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide