Hi,
I have been testing ASA 5510 8.0.4 with a Windows Server 2003 AD + LDAP as an AAA server.
Users can change passwords from Cisco VPN Client, applying a Windows GPO Password Policy.
It works (length, complexity, expiration). However, when a user needs to change the password, either when it expires or when it is forced to change, it can be entered the same password.
When I test the same user with e.g.: Remote Desktop to server, it is not allowed to repeat the same password when expires or forced to change, according to the password policy assigned.
I've captured an ASA debug log ("debug aaa common 255") when I enforce a password change and VPN client authenticates.
See below, where appears 'Invalid Attribute'. I think it may be a missing LDAP attribute in AD Schema related to password history.
Has anybody seen this problem?
Cheers,
danr19
------------------------------------------------------------
AAA session opened: handle = 1197
AAA API: In aaa_process_async
aaa_process_async: sending AAA_MSG_PROCESS
AAA task: aaa_process_msg(d45bd5c8) received message type 0
AAA FSM: In AAA_StartAAATransaction
AAA FSM: In AAA_InitTransaction
Initiating authentication to primary server (Svr Grp: USER_IPSEC_VPN)
------------------------------------------------
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server: 192.168.1.62
AAA FSM: In AAA_SendMsg
User: user
Resp:
callback_aaa_task: status = -1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 1197, pAcb = d5f6f97c
AAA task: aaa_process_msg(d45bd5c8) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
------------------
Authentication Status: -1 (REJECT)
Resetting sathyam.aaa.ip's numtries
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
AAA_NextFunction: authen svr = USER_IPSEC_VPN, author svr = <NONE>, user pol = , tunn pol = DfltGrpPolicy
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:
1 LDAP password change allowed(20483) 4 1
2 LDAP password minimum length(20484) 4 6
3 <UNKNOWN>(20486) 4 0xD8E2D6F8 ** Invalid Attribute **
user policy attributes:
None
tunnel policy attributes:
None
Auth Status = REJECT
------------------------------------------------------------
I have been testing ASA 5510 8.0.4 with a Windows Server 2003 AD + LDAP as an AAA server.
Users can change passwords from Cisco VPN Client, applying a Windows GPO Password Policy.
It works (length, complexity, expiration). However, when a user needs to change the password, either when it expires or when it is forced to change, it can be entered the same password.
When I test the same user with e.g.: Remote Desktop to server, it is not allowed to repeat the same password when expires or forced to change, according to the password policy assigned.
I've captured an ASA debug log ("debug aaa common 255") when I enforce a password change and VPN client authenticates.
See below, where appears 'Invalid Attribute'. I think it may be a missing LDAP attribute in AD Schema related to password history.
Has anybody seen this problem?
Cheers,
danr19
------------------------------------------------------------
AAA session opened: handle = 1197
AAA API: In aaa_process_async
aaa_process_async: sending AAA_MSG_PROCESS
AAA task: aaa_process_msg(d45bd5c8) received message type 0
AAA FSM: In AAA_StartAAATransaction
AAA FSM: In AAA_InitTransaction
Initiating authentication to primary server (Svr Grp: USER_IPSEC_VPN)
------------------------------------------------
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server: 192.168.1.62
AAA FSM: In AAA_SendMsg
User: user
Resp:
callback_aaa_task: status = -1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 1197, pAcb = d5f6f97c
AAA task: aaa_process_msg(d45bd5c8) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
------------------
Authentication Status: -1 (REJECT)
Resetting sathyam.aaa.ip's numtries
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
AAA_NextFunction: authen svr = USER_IPSEC_VPN, author svr = <NONE>, user pol = , tunn pol = DfltGrpPolicy
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:
1 LDAP password change allowed(20483) 4 1
2 LDAP password minimum length(20484) 4 6
3 <UNKNOWN>(20486) 4 0xD8E2D6F8 ** Invalid Attribute **
user policy attributes:
None
tunnel policy attributes:
None
Auth Status = REJECT
------------------------------------------------------------
