69-56
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter69 General VPN Setup
Configuring AnyConnect VPN Connections
You can configure password management for IPsec remote access and SSL VPN tunnel-groups.
Note Some RADIUS servers that support MS-CHAP currently do not support MS-CHAPv2. This
feature requires MS-CHAPv2, so please check with your vendor.
The ASA, releases 7.1 and later, generally supports password management for the following
connection types when authenticating with LDAP or with any RADIUS configuration that supports
MS-CHAPv2:
AnyConnect VPN client
IPsec VPN client
Clientless SSL VPN
Password management is not supported for any of these connection types for Kerberos/Active
Directory (Windows password) or NT 4.0 Domain. The RADIUS server (for example, Cisco ACS)
could proxy the authentication request to another authentication server. However, from the ASA
perspective, it is talking only to a RADIUS server.
Note For LDAP, the method to change a password is proprietary for the different LDAP servers
on the market. Currently, the ASA implements the proprietary password management logic
only for Microsoft Active Directory and Sun LDAP servers.
Native LDAP requires an SSL connection. You must enable LDAP over SSL before attempting to
do password management for LDAP. By default, LDAP uses port 636.
Note Allowing override account-disabled is a potential security risk.
Notify user __ days prior to password expiration—Specifies that ASDM must notify the user at
login a specific number of days before the password expires. The default is to notify the user 14
days prior to password expiration and every day thereafter until the user changes the password.
The range is 1 through 180 days.
Notify user on the day password expires—Notifies the user only on the day that the password
expires.
In either case, and, if the password expires without being changed, the ASA offers the user the
opportunity to change the password. If the current password has not expired, the user can still
log in using that password.
Note This does not change the number of days before the password expires, but rather, it enables
the notification. If you select this option, you must also specify the number of days.
Override account-disabled indication from AAA server—Overrides an account-disabled
indication from a AAA server.
Find—Enter a GUI label or a CLI command to use as a search string, then click Next or Previous to
begin the search.
Modes
The following table shows the modes in which this feature is available: