Professional Documents
Culture Documents
®
This document highlights the steps to configure the RADIUS Password Expiry feature on Cisco IOS Easy VPN Servers.
®
The Cisco Secure Access Control Server (ACS) configured for Microsoft Challenge Handshake Authentication Protocol 2
(MS-CHAP2) is used as the RADIUS server in this example (Password Authentication Protocol [PAP] is not supported for
this feature). With this feature enabled, VPN users are prompted to change an expired Microsoft Windows password when
they launch the Cisco VPN Client to connect to the Easy VPN Server.
CHALLENGE
Currently, Cisco IOS Easy VPN clients send the username and password values to the EasyVPN Server, which in turn sends them to the
authentication, authorization, and accounting (AAA) subsystem. The AAA subsystem generates an authentication request to the RADIUS server.
If the password has expired, then the RADIUS server replies back with an authentication failure. The reason for the failure is not passed back to
AAA subsystem, so the user is denied access because of authentication failure but does not know that the failure is due to password expiry.
SOLUTION
The AAA Password Expiry infrastructure notifies the Easy VPN client that the password has expired, and provides a generic way for the user to
change the password.
Note: The Password Expiry feature is not supported on the hardware client.
COMPONENTS USED
The information in this document is based on the following software and hardware versions:
• Cisco 2821 Integrated Services Router with Cisco IOS Software Release 12.4(6)T
• Cisco VPN Client Version 4.0.5
• Cisco Secure Access Control Server (ACS) Version 3.3 installed on a Windows 2000 server
Users in this document are defined in the Microsoft Windows 2000 Active Directory Server.
The information in this document was created from the devices in a specific lab environment. All devices used in this document started with a
normal tunnel configuration, using either a cryptology map or Dynamic Virtual Tunnel Interface (DVTI). If your network is live, make sure that you
understand the potential impact of any command.
All contents are Copyright © 1992–2006 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 1 of 24
NETWORK DIAGRAM
This document uses the network setup shown in Figure 1.
CONVENTIONS
For more information about document conventions, refer to the Cisco Technical Tips Conventions.
Step 1. A new sub-option passwd-expiry is used to support the Password Expiry feature:
aaa authentication login <list-name> passwd-expiry group <server-group-name>|radius
Step 3. A client (for example, Crypto) can associate with AAA using:
crypto map <map-name> client authentication list <list-name>
Step 1. Define the Cisco 2800 Series router as an AAA client. Be sure to select RADIUS (Cisco IOS/PIX) as the authentication method.
Refer to Figure 2.
Be sure to check the Dialin Permission and MS-CHAP2 boxes, and enter the domain name for the Windows Active Directory server
(Figures 3 and 4).
Be sure to select Windows Database as the Password Authentication type (Figure 5).
Note: Windows users must check Allow access under the Remote Access Permission under Dial-in tab (Figure 6) and check “User must change
password at next logon” under the Account tab (Figure 7) in the user profile.
Step 2. Type your username and password to log in. Then click OK (Figure 9).
Step 3. When the Windows password expires, you will be prompted to change the password. Type a new password. Type again to confirm it,
and click OK (Figure 10).
• MS-CHAP-Error—The MS-CHAP-Error attribute contains error data related to the preceding MS-CHAP exchange. This attribute can be used
in MS-CHAP2; it is used only in Access-Reject packets.
• MS-CHAP2-CPW—This attribute allows users to change their password if it has expired. It is used only in conjunction with the MS-CHAP-NT-
Enc-PW attribute in Access-Request packets, and should be included only if an MS-CHAP-Error attribute was included in the immediately
preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP
version is 3.
• MS-CHAP-NT-Enc-PW—This attribute contains the new Windows NT password encrypted with the old Windows NT password hash. The
encrypted Windows NT password is 516 octets long. Because this is longer than the maximum length of a RADIUS attribute, the password must
be split into several attributes for transmission. A 2-octet sequence number is included in the attribute to help preserve ordering of the password
fragments. This attribute is used only in Access-Request packets, in conjunction with MS-CHAP-CPW-2 and MS-CHAP2-CPW attributes. It
should be included only if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the
MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is 2 or greater.
• MS-CHAP2-Response—This attribute contains the response value provided by an MS-CHAP2 peer in response to the challenge. It is used only
in Access-Request packets.
• MS-CHAP2-Success—This attribute contains a 42-octet authenticator response string, which must be included in the message field of the MS-
CHAP2 Success packet sent from the network access server to the peer. This attribute is used only in Access-Accept packets.
The following section shows the debug messages captured on the Cisco 2821 Integrated Services Router with Cisco IOS Software during a tunnel
negotiation. Refer to the bold portions to see how AAA attributes are passed between the Cisco Secure ACS and the Cisco IOS Easy VPN Server to
inform the VPN user that the password has expired, and take the new Windows password back from the VPN user to the Window user database.
Turn on the following debug commands on the Cisco 2821 Integrated Services Router:
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on
the Cisco Website at www.cisco.com/go/offices.
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus
Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel
Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal
Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan
Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe
Copyright 2006 Cisco Systems, Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.;
Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE,
CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net
Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect,
RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in
the United States and certain other countries.