Connect with us

Hi, what are you looking for?

Internet

Cisco AnyConnect – Allow domain password change via LDAP

Cisco AnyConnect – Allow domain password change via LDAP

/

KB . ID 0001273

Problem

If you have remote users connecting through a VPN, and a policy that forces them to change their password periodically, this could block them without being able to change their password (externally).

If your Cisco ASA is using LDAP to authenticate your users, you can use a remote AnyConnect VPN solution to allow them to reset their passwords remotely.

solution

Standard LDAP works over TCP port 389, to allow ASA to reset the password for users, it must be connected via LDAPS (TCP port 636). Your AD server must be able to authenticate via LDAPS, by default No, you’ve already covered How to set this up in another post, see the next article.

Windows Server 2012 – Enable LDAPS

So, assuming that the AD server(s) that the Cisco ASA is authenticating to is already set up, you need to make sure that the AAA settings for LDAP are set to use port 636.

Enable LDAPS via command line

On my test network, I only have one LDAP server in my LDAP AAA pool, and you may need to repeat this procedure for every one in your pool.

Discover  11 Best (Really Free) VPNs for Android in December 2021

Petes-ASA (config) # aaa-server LDAP Server Test (inside) the host 192.168.110.10Petes-ASA (config-aaa-server-host) # server-port 636

Activate LDAPS from within ASDM

Log in to ADSM > Configuration > Device Management > Users / AAA > Select LDAP Server Group > Select Server > Edit > Enable LDAP over SSL > Server Port = 636.

Noticeable: If you try to reset a user password without LDAPS, you will see the following error;

Unwilling to make a password change

Next, you need to edit the AnyConnect connection profile to allow password reset. Or set the tunnel if you are working on the command line.

Allow password reset via command line

Petes-ASA (config) #tunnel-group profile any connection General attributes Petes-ASA (config-tunnel-general) # manage password password-expire-in-days 3

Allow password reset via ASDM

Connect to ADSM > Configuration > Remote Access VPN > Remote Network Agent Access > AnyConnect Connection Profile > Select One for AnyConnect > Edit > Advanced > General > Password Management > Enable Password Management > Select to Notify User How Many Days Before/Expires Its password > OK > Apply > File > Save running configuration to flash.

Now users have the ability to reset their password remotely because it is about to expire and when it will expire.

If you want to test with a specific user, you can set their password to ‘Expired’ using the following procedure;

Discover  Pros and Cons of Using a VPN

Reset the password expiration date for AD users

Related articles, references, credits or external links

unavailable


Don’t forget to share this post with friends !

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related

Internet

AnyConnect certificate-based authentication. Cisco community 👨‍💻 The information in this document is based on the following software and hardware versions: ASA 5510 running software...

Internet

AnyConnect: Install a self-signed certificate as a trusted source 👨‍💻 kmgmt-2879-cbs-220-config-security-port objective The goal of this article is to walk you through creating and...

Internet

ITProPortal . Portal 👨‍💻 We live in a dynamic moment in terms of technology. Even criminals are becoming more technically savvy and are using...

Internet

Download antivirus for free. Best antivirus protection 👨‍💻 Protecting your identity, banking information and privacy Cybercriminals want your credit card details, passwords and other...