Cisco PIX 500 Series Configuration Manual page 763

Chapter 37 Configuring Clientless SSL VPN
When you configure password management, the security appliance notifies the remote user at login that
the user's current password is about to expire or has expired. The security appliance then offers the user
the opportunity to change the password. If the current password has not yet expired, the user can still log
in using that password.
This command is valid for AAA servers that support such notification. The security appliance ignores
this command if RADIUS or LDAP authentication has not been configured.
Some RADIUS servers that support MSCHAP currently do not support MSCHAPv2. This command
Note
requires MSCHAPv2 so please check with your vendor.
The security appliance, releases 7.1 and later, generally supports password management for the
following connection types when authenticating with LDAP or with any RADIUS configuration that
supports MS-CHAPv2:
AnyConnect VPN Client
•
• IPSec VPN Client
• Clientless SSL VPN
Password management is not supported for any of these connection types for Kerberos/Active Directory
(Windows password) or NT 4.0 Domain.
The RADIUS server (for example, Cisco ACS) could proxy the authentication request to another
authentication server. However, from the security appliance perspective, it is talking only to a RADIUS
server.
For LDAP, the method to change a password is proprietary for the different LDAP servers on the market.
Note
Currently, the security appliance implements the proprietary password management logic only for
Microsoft Active Directory and Sun LDAP servers.
Native LDAP requires an SSL connection. You must enable LDAP over SSL before attempting to do
password management for LDAP. By default, LDAP uses port 636.
Note If you are using an LDAP directory server for authentication, password management is supported with
the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server)
and the Microsoft Active Directory.
Sun—The DN configured on the security appliance to access a Sun directory server must be able to
access the default password policy on that server. We recommend using the directory administrator, or a
user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the
default password policy.
Microsoft—You must configure LDAP over SSL to enable password management with Microsoft Active
Directory.
Note that this command does not change the number of days before the password expires, but rather, the
number of days ahead of expiration that the security appliance starts warning the user that the password
is about to expire.
If you do specify the password-expire-in-days keyword, you must also specify the number of days.
OL-12172-03
Cisco Security Appliance Command Line Configuration Guide
Getting Started
37-7