Does a PIX with RADIUS to Win2003 handle password renewal?


I have a PIX 515e that users connect to via MS PPTP VPN client. Currently, the users authenticate against a list kept on the PIX box. I want to set up RADIUS authentication to a Win2003 AD network. Before I do this, I am curious about password renewal.

Our windows network requires a change of password at regular intervals. Some of the users will be away from the office when their password is due for renewal. How does the PIX box handle this? Will the users be asked to change their passwords as they connect to the VPN (the PIX box)?. Or do they have to log onto a Windows server specifically to do this?

Could someone who's seen this explain to me how it will work?
Thanks in advance!
Who is Participating?
rsivanandanConnect With a Mentor Commented:
It never works. The only way I made the policy is to have them logon to their office machines through remote desktop and then change the password.

Or else, you could get a coding guy and create  a page in your intranet for changing password. That works well.

Cyclops3590Connect With a Mentor Commented:
Personally I can't believe it would handle it at all (unless someone has actually seen it work).  Here's why.  The PIX relays the auth parameters to the MS IAS (RADIUS) server which inturn then relays that to the AD for a yea/nea answer to approve.

So if the password is expired, the RADIUS server will most likely log the fact that it is expired, but will relay an answer of denied access.

Best thing I can think of is create a new PPTP group with the RADIUS auth.  Then set an acct to expire.  Then try it and confirm.  I just refuse to believe it would work as too many different technologies and protocols are being relayed thru for the authentication answer.
Cyclops3590Connect With a Mentor Commented:
I realize its not the best "fix", but can you just set the notification for password expiration to come sooner so that they know that if they are going to be gone, they can change it before they leave.  I assume by "regular intervals" its something like 6 months or in that neighborhood.  Could you set the reminder to start at 21 days prior to expiration maybe.

don't know just thinking out load
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
We had a lot of problems with this and eventually moved the radius to a Cisco ACS box. it wasn't that M$ didn't work, it was more that it was never consistent. Finally went for hard tokens and the ACS server, works brilliantly
dreadman2kAuthor Commented:
Thanks, guys!

THat was the sort of info I was looking for. It seems I was right to be concerned about the password renewal as a source of trouble.
Now that you have clued me in I can look at options. I would prefer hard tokens & such, but may be able to get it going with RADIUS & a web page for password renewal.

Again, thank you for the useful info!
Keith AlabasterEnterprise ArchitectCommented:
Thanks :)

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.