Cisco ASA 5505 Configuration Manual page 1361

Chapter 64 General VPN Setup
Setting General Attributes for an AnyConnect SSL VPN Connection
Configure the General attributes to specify the password management parameters.
Fields
Set the Advanced General attributes as follows:
•
OL-20339-01
Enable Password Management—Lets you configure parameters relevant to overriding an
account-disabled indication from a AAA server and to notifying users about password expiration.
The adaptive security appliance supports password management for the RADIUS and LDAP
protocols. It supports the "password-expire-in-days" option only for LDAP. This parameter is valid
for AAA servers that support such notification. The adaptive security appliance ignores this
command if RADIUS or LDAP authentication has not been configured.
You can configure password management for IPsec remote access and SSL VPN tunnel-groups.
Note Some RADIUS servers that support MS-CHAP currently do not support MS-CHAPv2. This
feature requires MS-CHAPv2, so please check with your vendor.
The adaptive security appliance, releases 7.1 and later, generally supports password management for
the following connection types when authenticating with LDAP or with any RADIUS configuration
that supports MS-CHAPv2:
AnyConnect VPN client
–
IPsec VPN client
–
Clientless SSL VPN
–
Password management is not supported for any of these connection types for Kerberos/Active
Directory (Windows password) or NT 4.0 Domain. The RADIUS server (for example, Cisco ACS)
could proxy the authentication request to another authentication server. However, from the adaptive
security appliance perspective, it is talking only to a RADIUS server.
For LDAP, the method to change a password is proprietary for the different LDAP servers
Note
on the market. Currently, the adaptive security appliance implements the proprietary
password management logic only for Microsoft Active Directory and Sun LDAP servers.
Native LDAP requires an SSL connection. You must enable LDAP over SSL before attempting to
do password management for LDAP. By default, LDAP uses port 636.
Note Allowing override account-disabled is a potential security risk.
Notify user __ days prior to password expiration—Specifies that ASDM must notify the user at
–
login a specific number of days before the password expires. The default is to notify the user 14
days prior to password expiration and every day thereafter until the user changes the password.
The range is 1 through 180 days.
Notify user on the day password expires—Notifies the user only on the day that the password
–
expires.
Cisco ASA 5500 Series Configuration Guide using ASDM
Configuring SSL VPN Connections
64-51