Solved

CIsco PIX and ACS - VPN client won't prompt to change password

Posted on 2008-10-23
2
1,753 Views
Last Modified: 2008-11-06
I currently have a PIX (IOS 6.3), and an ACS (v4.1) server. VPN clients connect to the PIX and are authenticated by the ACS through the external Windows database for Active Directory. The problem is when a user in AD has the option checked for "User must change password at next login", the VPN client fails immediately with Reason 413: User authentication failed.

One thing I found from here:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80478ad7.html
... but not sure if it applies because I am using an ACS. Would this be the correct usage line for the PIX

aaa authentication login USERAUTH passwd-expiry group radius

Is that needed even if using an ACS? Is there anything else I'm missing? Please let me know what other information you need to help me out.

Thanks!
0
Comment
Question by:djspin007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 2

Accepted Solution

by:
vivek283 earned 125 total points
ID: 22891785
Hi,

PIX 6.x does not support password change on expiry for VPN clients. For password change ms-chap-v2 must be used. IPSEC uses PAP.

This feature was introduced on PIX on 7.0. On 7.x the tunnel group can be configured for radius-with-expiry or password-management. This will work with AD as external DB to ACS.
0
 

Author Comment

by:djspin007
ID: 22895417
Thanks for the info! I guess that's why so many people had VPN Concentrators prior to upgrading to PIX 7.x or replacing it with an ASA. Glad to hear though I didn't miss something in the configuration.
0

Featured Post

Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question