Cisco AnyConnect – Allow domain password change via LDAP
KB . ID 0001273
If you have remote users connecting through a VPN, and a policy that forces them to change their password periodically, this could block them without being able to change their password (externally).
If your Cisco ASA is using LDAP to authenticate your users, you can use a remote AnyConnect VPN solution to allow them to reset their passwords remotely.
Standard LDAP works over TCP port 389, to allow ASA to reset the password for users, it must be connected via LDAPS (TCP port 636). Your AD server must be able to authenticate via LDAPS, by default No, you’ve already covered How to set this up in another post, see the next article.
Windows Server 2012 – Enable LDAPS
So, assuming that the AD server(s) that the Cisco ASA is authenticating to is already set up, you need to make sure that the AAA settings for LDAP are set to use port 636.
Enable LDAPS via command line
On my test network, I only have one LDAP server in my LDAP AAA pool, and you may need to repeat this procedure for every one in your pool.
Petes-ASA (config) # aaa-server LDAP Server Test (inside) the host 192.168.110.10Petes-ASA (config-aaa-server-host) # server-port 636
Activate LDAPS from within ASDM
Log in to ADSM > Configuration > Device Management > Users / AAA > Select LDAP Server Group > Select Server > Edit > Enable LDAP over SSL > Server Port = 636.
Noticeable: If you try to reset a user password without LDAPS, you will see the following error;
Unwilling to make a password change
Next, you need to edit the AnyConnect connection profile to allow password reset. Or set the tunnel if you are working on the command line.
Allow password reset via command line
Petes-ASA (config) #tunnel-group profile any connection General attributes Petes-ASA (config-tunnel-general) # manage password password-expire-in-days 3
Allow password reset via ASDM
Connect to ADSM > Configuration > Remote Access VPN > Remote Network Agent Access > AnyConnect Connection Profile > Select One for AnyConnect > Edit > Advanced > General > Password Management > Enable Password Management > Select to Notify User How Many Days Before/Expires Its password > OK > Apply > File > Save running configuration to flash.
Now users have the ability to reset their password remotely because it is about to expire and when it will expire.
If you want to test with a specific user, you can set their password to ‘Expired’ using the following procedure;
Reset the password expiration date for AD users
Related articles, references, credits or external links