Cisco FirePOWER ASA 5500 series Configuration Manual page 573
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 30
Configuring Tunnel Groups, Group Policies, and Users
If you are using an LDAP directory server for authentication, password management is supported with
Note
the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory Server)
and the Microsoft Active Directory.
Sun—The DN configured on the security appliance to access a Sun directory server must be able to
•
access the default password policy on that server. We recommend using the directory administrator,
or a user with directory administrator privileges, as the DN. Alternatively, you can place an ACI on
the default password policy.
•
Microsoft—You must configure LDAP over SSL to enable password management with Microsoft
Active Directory.
See the
This feature, which is enabled by default, warns a user when the current password is about to expire. The
default is to begin warning the user 14 days before expiration:
hostname(config-tunnel-general)# password-management
hostname(config-tunnel-general)#
If the server is an LDAP server, you can specify the number of days (0 through 180) before expiration
to begin warning the user about the pending expiration:
hostname(config-tunnel-general)# password-management [password-expire in days n]
hostname(config-tunnel-general)#
Note
When you configure this command, the security appliance notifies the remote user at login that the user's
current password is about to expire or has expired. The security appliance then offers the user the
opportunity to change the password. If the current password has not yet expired, the user can still log in
using that password. The security appliance ignores this command if RADIUS or LDAP authentication
has not been configured.
Note that this does not change the number of days before the password expires, but rather, the number
of days ahead of expiration that the security appliance starts warning the user that the password is about
to expire.
If you do specify the password-expire-in-days keyword, you must also specify the number of days.
See
Configuring Microsoft Active Directory Settings for Password Management, page 30-24
information.
Specifying this command with the number of days set to 0 disables this command. The security appliance
Step 10
does not notify the user of the pending expiration, but the user can change the password after it
expires.Optionally, configure the ability to override an account-disabled indicator from the AAA server,
by entering the override-account-disable command:
hostname(config-tunnel-general)# override-account-disable
hostname(config-tunnel-general)#
OL-10088-01
"Setting the LDAP Server Type" section on page 13-7
The password-management command, entered in tunnel-group general-attributes
configuration mode replaces the deprecated radius-with-expiry command that was formerly
entered in tunnel-group ipsec-attributes mode.
for more information.
Cisco Security Appliance Command Line Configuration Guide
Configuring Tunnel Groups
for more
30-19
Advertisement
Table of Contents
Troubleshooting
