Solved

CIsco PIX and ACS - VPN client won't prompt to change password

Posted on 2008-10-23
2
1,750 Views
Last Modified: 2008-11-06
I currently have a PIX (IOS 6.3), and an ACS (v4.1) server. VPN clients connect to the PIX and are authenticated by the ACS through the external Windows database for Active Directory. The problem is when a user in AD has the option checked for "User must change password at next login", the VPN client fails immediately with Reason 413: User authentication failed.

One thing I found from here:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80478ad7.html
... but not sure if it applies because I am using an ACS. Would this be the correct usage line for the PIX

aaa authentication login USERAUTH passwd-expiry group radius

Is that needed even if using an ACS? Is there anything else I'm missing? Please let me know what other information you need to help me out.

Thanks!
0
Comment
Question by:djspin007
2 Comments
 
LVL 2

Accepted Solution

by:
vivek283 earned 125 total points
ID: 22891785
Hi,

PIX 6.x does not support password change on expiry for VPN clients. For password change ms-chap-v2 must be used. IPSEC uses PAP.

This feature was introduced on PIX on 7.0. On 7.x the tunnel group can be configured for radius-with-expiry or password-management. This will work with AD as external DB to ACS.
0
 

Author Comment

by:djspin007
ID: 22895417
Thanks for the info! I guess that's why so many people had VPN Concentrators prior to upgrading to PIX 7.x or replacing it with an ASA. Glad to hear though I didn't miss something in the configuration.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco MRA Phones 4 69
Outgoing Call restriction in Cisco UC560 2 71
Setup NAT/PAT question 3 42
Help with an ACL to isolate our wireless newtork 9 17
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now