Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Expired Windows Paasword - causes VPN login fail

Status
Not open for further replies.

cygnetrower1

IS-IT--Management
Feb 14, 2002
37
GB
Hello,

I have a Cisco PIX 515 authenticating back to a Windows 2000 Domain Controler running IAS.

This works very niceley except when the users password has expired. In which case I get
Error 413 User Authentication Failed

Does anyone know the sollution to this problem ?

Thanks
Damian
 
Apologies for the brief notes - to add some more detail
VPN Client Version: 4.03
Laptop : Windows XP sp1
Pix ver : 6.3(3)

Also
vpngroup **** default-domain ******
sets the DNS Suffix Search List
is there a way to add more than 1 domain to this.
without it DNS resolution is very slow on all but the default.
 
If I am reading this correctly, the firewall/Win2k systems are doing exactly what you want them to do. The system should not allow the user to gain access to the VPN if their internal AD profile is either expired or disabled. If your policy is to require password changes periodically, then your users can't complain if their profile is expired, they have enough warning.
 
Well, the problem is: you do *not* get any "password expires in..." warnings when you connect through the VPN client and you are just locked out when it happens. Home office workers typically run into this issue.

But there is a mechnism to let you change your password from the VPN client in this case. It works with certain RADIUS messages between VPN client and IAS. But Microsoft IAS issues these messages *only* to Microsoft clients...

The trick to make it work is to declare the PIX in IAS as being a Microsoft product (as much as this might hurt ;-)). In IAS go to the RADIUS client's properties (of the PIX) and change the client vendor from Cisco to Microsoft.

Next time the password expires, Cisco VPN client will notify you during login and present a window where you can set a new password. You won't get any "your password expires in...", though. It only tells you after the password has expired. But this surely is better than having to call the admin and have him/her set a new password.

Cheers *Rob
 
Hi,

I tried this but it has not worked
The client still gets - error 413
The windows event log (on the IAS server) still shows an access denied event for the user with the reason being "the user must change their password"

some more bits of info on our environment
Our Domain is in mixed mode....
So the only setting for dial in permissions is either allow or disallow.
 
Last time I tried this, I used Cisco VPN Client version 4.6. Could you try it with a newer client?
 
Do you have an exchange server? You can enable the password change feature on the webmail client.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top