Cisco PIX 500 Series Configuration Manual page 626

Configuring Connection Profiles
This feature, which is enabled by default, warns a user when the current password is about to expire. The
default is to begin warning the user 14 days before expiration:
hostname(config-tunnel-general)# password-management
hostname(config-tunnel-general)#
If the server is an LDAP server, you can specify the number of days (0 through 180) before expiration
to begin warning the user about the pending expiration:
hostname(config-tunnel-general)# password-management [password-expire in days n ]
hostname(config-tunnel-general)#
Note
When you configure the password-management command, the security appliance notifies the remote
user at login that the user's current password is about to expire or has expired. The security appliance
then offers the user the opportunity to change the password. If the current password has not yet expired,
the user can still log in using that password. The security appliance ignores this command if RADIUS
or LDAP authentication has not been configured.
Note that this does not change the number of days before the password expires, but rather, the number
of days ahead of expiration that the security appliance starts warning the user that the password is about
to expire.
If you do specify the password-expire-in-days keyword, you must also specify the number of days.
Specifying this command with the number of days set to 0 disables this command. The security appliance
does not notify the user of the pending expiration, but the user can change the password after it expires.
See Configuring Microsoft Active Directory Settings for Password Management, page 30-27
information.
Note
Cisco Security Appliance Command Line Configuration Guide
30-10
administrator, or a user with directory administrator privileges, as the DN. Alternatively, you can
place an ACI on the default password policy.
Microsoft—You must configure LDAP over SSL to enable password management with
Microsoft Active Directory.
See the "Setting the LDAP Server Type" section on page 13-13
The password-management command, entered in tunnel-group general-attributes
configuration mode replaces the deprecated radius-with-expiry command that was formerly
entered in tunnel-group ipsec-attributes mode.
The security appliance, releases 7.1 and later, generally supports password management for the
AnyConnect VPN Client, the Cisco IPSec VPN Client, the SSL VPN full-tunneling client, and
Clientless connections when authenticating with LDAP or with any RADIUS connection that
supports MS-CHAPv2. Password management is not supported for any of these connection types
for Kerberos/AD (Windows password) or NT 4.0 Domain.
Some RADIUS servers that support MS-CHAP do not currently support MS-CHAPv2. The
password-management command requires MS-CHAPv2, so please check with your vendor.
The RADIUS server (for example, Cisco ACS) could proxy the authentication request to another
authentication server. However, from the security appliance perspective, it is talking only to a
RADIUS server.
Chapter 30 Configuring Connection Profiles, Group Policies, and Users
for more information.
for more
OL-12172-03