Connect with us

Hi, what are you looking for?


Cisco AnyConnect – Allow domain password change via LDAP

Cisco AnyConnect – Allow domain password change via LDAP


KB . ID 0001273


If you have remote users connecting through a VPN, and a policy that forces them to change their password periodically, this could block them without being able to change their password (externally).

If your Cisco ASA is using LDAP to authenticate your users, you can use a remote AnyConnect VPN solution to allow them to reset their passwords remotely.


Standard LDAP works over TCP port 389, to allow ASA to reset the password for users, it must be connected via LDAPS (TCP port 636). Your AD server must be able to authenticate via LDAPS, by default No, you’ve already covered How to set this up in another post, see the next article.

Windows Server 2012 – Enable LDAPS

So, assuming that the AD server(s) that the Cisco ASA is authenticating to is already set up, you need to make sure that the AAA settings for LDAP are set to use port 636.

Enable LDAPS via command line

On my test network, I only have one LDAP server in my LDAP AAA pool, and you may need to repeat this procedure for every one in your pool.

Petes-ASA (config) # aaa-server LDAP Server Test (inside) the host (config-aaa-server-host) # server-port 636

Activate LDAPS from within ASDM

Log in to ADSM > Configuration > Device Management > Users / AAA > Select LDAP Server Group > Select Server > Edit > Enable LDAP over SSL > Server Port = 636.

Noticeable: If you try to reset a user password without LDAPS, you will see the following error;

Unwilling to make a password change

Next, you need to edit the AnyConnect connection profile to allow password reset. Or set the tunnel if you are working on the command line.

Allow password reset via command line

Petes-ASA (config) #tunnel-group profile any connection General attributes Petes-ASA (config-tunnel-general) # manage password password-expire-in-days 3

Allow password reset via ASDM

Connect to ADSM > Configuration > Remote Access VPN > Remote Network Agent Access > AnyConnect Connection Profile > Select One for AnyConnect > Edit > Advanced > General > Password Management > Enable Password Management > Select to Notify User How Many Days Before/Expires Its password > OK > Apply > File > Save running configuration to flash.

Now users have the ability to reset their password remotely because it is about to expire and when it will expire.

If you want to test with a specific user, you can set their password to ‘Expired’ using the following procedure;

Reset the password expiration date for AD users

Related articles, references, credits or external links


Don’t forget to share this post with friends !

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *



AnyConnect certificate-based authentication. Cisco community 👨‍💻 The information in this document is based on the following software and hardware versions: ASA 5510 running software...


AnyConnect: Install a self-signed certificate as a trusted source 👨‍💻 kmgmt-2879-cbs-220-config-security-port objective The goal of this article is to walk you through creating and...


ITProPortal . Portal 👨‍💻 We live in a dynamic moment in terms of technology. Even criminals are becoming more technically savvy and are using...


Download antivirus for free. Best antivirus protection 👨‍💻 Protecting your identity, banking information and privacy Cybercriminals want your credit card details, passwords and other...