AAA Password Expiry in Cisco IOS EasyVPN

Configuration Guide
AAA Password Expiry in Cisco IOS EasyVPN
®
This document highlights the steps to configure the RADIUS Password Expiry feature on Cisco IOS Easy VPN Servers.
®
The Cisco Secure Access Control Server (ACS) configured for Microsoft Challenge Handshake Authentication Protocol 2
(MS-CHAP2) is used as the RADIUS server in this example (Password Authentication Protocol [PAP] is not supported for
this feature). With this feature enabled, VPN users are prompted to change an expired Microsoft Windows password when
they launch the Cisco VPN Client to connect to the Easy VPN Server.
CHALLENGE
Currently, Cisco IOS Easy VPN clients send the username and password values to the EasyVPN Server, which in turn sends them to the
authentication, authorization, and accounting (AAA) subsystem. The AAA subsystem generates an authentication request to the RADIUS server.
If the password has expired, then the RADIUS server replies back with an authentication failure. The reason for the failure is not passed back to
AAA subsystem, so the user is denied access because of authentication failure but does not know that the failure is due to password expiry.
SOLUTION
The AAA Password Expiry infrastructure notifies the Easy VPN client that the password has expired, and provides a generic way for the user to
change the password.
Note: The Password Expiry feature is not supported on the hardware client.
COMPONENTS USED
The information in this document is based on the following software and hardware versions:
• Cisco 2821 Integrated Services Router with Cisco IOS Software Release 12.4(6)T
• Cisco VPN Client Version 4.0.5
• Cisco Secure Access Control Server (ACS) Version 3.3 installed on a Windows 2000 server
Users in this document are defined in the Microsoft Windows 2000 Active Directory Server.
The information in this document was created from the devices in a specific lab environment. All devices used in this document started with a
normal tunnel configuration, using either a cryptology map or Dynamic Virtual Tunnel Interface (DVTI). If your network is live, make sure that you
understand the potential impact of any command.
All contents are Copyright © 1992–2006 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.
Page 1 of 24
NETWORK DIAGRAM
This document uses the network setup shown in Figure 1.
Figure 1. Network Setup
CONVENTIONS
For more information about document conventions, refer to the Cisco Technical Tips Conventions.
CONFIGURE CISCO EASY VPN WITH PASSWORD EXPIRY FEATURE

To configure AAA to perform a MS-CHAP2 style authentication, do the following:
Step 1. A new sub-option passwd-expiry is used to support the Password Expiry feature:
aaa authentication login <list-name> passwd-expiry group <server-group-name>|radius
Step 2. If you use the <server-group-name> option, configure the following:

aaa group server radius <server-group-name>
server <ip-addr>
or if you use the radius option, configure:
radius-server host <ip-addr> auth-port 1645 acct-port 1646 key <key-string>
Step 3. A client (for example, Crypto) can associate with AAA using:
crypto map <map-name> client authentication list <list-name>
The list name maps to the list in point 1.
© 2006 Cisco Systems, Inc. All rights reserved.

Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 2 of 26
Cisco 2821 Integrated Services Router Configuration Using Crypto Map
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xinl-gateway
!
aaa new-model
!
!
aaa authentication login USERAUTH passwd-expiry group radius
aaa authorization network branch local
!
aaa session-id common
!
resource policy
!
!
ip cef
!
!
no ip domain lookup
ip domain name cisco.com
!
!
!
crypto pki trustpoint TP-self-signed-523425186
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-523425186
revocation-check none
rsakeypair TP-self-signed-523425186
!
!
crypto pki certificate chain TP-self-signed-523425186
certificate self-signed 01 nvram:IOS-Self-Sig#3601.cer
username cisco privilege 15 secret 5 $1$A3HU$bCWjlkrEztDJx6JJzSnMV1
!
!
crypto isakmp policy 1
encr 3des

Page 3 of 26
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group branch
key cisco
domain cisco.com
pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap client authentication list USERAUTH
crypto map dynmap isakmp authorization list branch
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 200.1.1.100 255.255.255.0
duplex auto
speed auto
crypto map dynmap
!
description $ES_LAN$
ip address 172.19.217.96 255.255.255.0
duplex auto
speed auto
!
ip local pool dynpool 10.2.122.211 10.2.122.213
ip route 0.0.0.0 0.0.0.0 172.19.217.1
!
!
ip http server
ip http authentication local

Page 4 of 26
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
!
radius-server host 172.19.220.149 auth-port 1645 acct-port 1646 key cisco
radius-server vsa send authentication
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
!
scheduler allocate 20000 1000
!
End
Cisco 2821 Integrated Services Router Configuration Using DVTI

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xinl-gateway
!
aaa new-model
!
!
aaa authentication login USERAUTH passwd-expiry group radius
aaa authorization network branch local
!
aaa session-id common
!
resource policy

Page 5 of 26
!
!
!
ip cef
!
!
no ip domain lookup
ip domain name cisco.com
!
!
!
crypto pki trustpoint TP-self-signed-523425186
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-523425186
revocation-check none
rsakeypair TP-self-signed-523425186
!
!
crypto pki certificate chain TP-self-signed-523425186
certificate self-signed 01 nvram:IOS-Self-Sig#3601.cer
username cisco privilege 15 secret 5 $1$A3HU$bCWjlkrEztDJx6JJzSnMV1
username user1 password 0 password1
!
!
policy-map FOO
class class-default
shape average 128000
!
!
crypto logging ezvpn
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group branch
key cisco
domain cisco.com
pool dynpool
acl 150
crypto isakmp profile vi
match identity group branch

Page 6 of 26
client authentication list USERAUTH
isakmp authorization list branch
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto ipsec profile vi
set transform-set transform-1
set isakmp-profile vi
!
!
!
!
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 200.1.1.100 255.255.255.0
duplex auto
speed auto
!
description $ES_LAN$
ip address 172.19.217.96 255.255.255.0
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile vi
service-policy output FOO
!
ip local pool dynpool 10.2.122.211 10.2.122.213
ip route 0.0.0.0 0.0.0.0 172.19.217.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!

Page 7 of 26
!
!
radius-server host 172.19.220.149 auth-port 1645 acct-port 1646 key cisco
radius-server vsa send authentication
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
line vty 5 15
privilege level 15
!
scheduler allocate 20000 1000
!
end

Page 8 of 26
Configure Cisco Secure ACS
Use the following procedure to configure Cisco Secure ACS:
Step 1. Define the Cisco 2800 Series router as an AAA client. Be sure to select RADIUS (Cisco IOS/PIX) as the authentication method.
Refer to Figure 2.
Figure 2. AAA Client Configuration

Page 9 of 26
Step 2. Define the external user database for Windows Active Directory users.
Be sure to check the Dialin Permission and MS-CHAP2 boxes, and enter the domain name for the Windows Active Directory server
(Figures 3 and 4).
Figure 3. Defining External User Database

Page 10 of 26
Figure 4. Defining External User Database (continue)

Page 11 of 26
Step 3. Add the external user to the Cisco Secure ACS user database. It is a reference pointing to the Windows Active Directory database.
Be sure to select Windows Database as the Password Authentication type (Figure 5).
Figure 5. User Setup

Page 12 of 26
Step 4. Define a VPN user on Windows Active Directory.
Note: Windows users must check Allow access under the Remote Access Permission under Dial-in tab (Figure 6) and check “User must change
password at next logon” under the Account tab (Figure 7) in the user profile.
Figure 6. Active Directory User Configuration—Remote Access Permission
Figure 7. Active Directory User Configuration—Account Options

Page 13 of 26
Verify
The following examples demonstrate how the RADIUS Password Expiry feature works when the Windows password expires. The VPN user is
informed that the password has expired and prompted to enter a new one.
Step 1. Launch the Cisco VPN Client (Figure 8).
Figure 8. Cisco VPN Client
Step 2. Type your username and password to log in. Then click OK (Figure 9).
Figure 9. User Authentication
Step 3. When the Windows password expires, you will be prompted to change the password. Type a new password. Type again to confirm it,
and click OK (Figure 10).
Figure 10. Change Password

Page 14 of 26
Troubleshoot
Before examining the debug messages, consider the Microsoft vendor-specific attributes needed for understanding this feature. The following
Microsoft attributes are generated or processed by AAA, for providing the password expiry support.
• MS-CHAP-Error—The MS-CHAP-Error attribute contains error data related to the preceding MS-CHAP exchange. This attribute can be used
in MS-CHAP2; it is used only in Access-Reject packets.
• MS-CHAP2-CPW—This attribute allows users to change their password if it has expired. It is used only in conjunction with the MS-CHAP-NT-
Enc-PW attribute in Access-Request packets, and should be included only if an MS-CHAP-Error attribute was included in the immediately
preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP
version is 3.
• MS-CHAP-NT-Enc-PW—This attribute contains the new Windows NT password encrypted with the old Windows NT password hash. The
encrypted Windows NT password is 516 octets long. Because this is longer than the maximum length of a RADIUS attribute, the password must
be split into several attributes for transmission. A 2-octet sequence number is included in the attribute to help preserve ordering of the password
fragments. This attribute is used only in Access-Request packets, in conjunction with MS-CHAP-CPW-2 and MS-CHAP2-CPW attributes. It
should be included only if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the
MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is 2 or greater.
• MS-CHAP2-Response—This attribute contains the response value provided by an MS-CHAP2 peer in response to the challenge. It is used only
in Access-Request packets.
• MS-CHAP2-Success—This attribute contains a 42-octet authenticator response string, which must be included in the message field of the MS-
CHAP2 Success packet sent from the network access server to the peer. This attribute is used only in Access-Accept packets.
The following section shows the debug messages captured on the Cisco 2821 Integrated Services Router with Cisco IOS Software during a tunnel
negotiation. Refer to the bold portions to see how AAA attributes are passed between the Cisco Secure ACS and the Cisco IOS Easy VPN Server to
inform the VPN user that the password has expired, and take the new Windows password back from the VPN user to the Window user database.
Turn on the following debug commands on the Cisco 2821 Integrated Services Router:
• • debug aaa authentication

• • debug ppp authentication
• • debug aaa attributes
*Mar 10 03:19:14.570: AAA/ATTR(000015C7): new list: 0x451A04E8

*Mar 10 03:19:14.570: AAA/ATTR(000015C7): cursor init: 44FE4F78 451A04E8 none none
*Mar 10 03:19:14.570: AAA/ATTR(000015C7): find: port-type(162): not found
*Mar 10 03:19:14.570: AAA/ATTR(000015C7): add attr: 451A0500 0 00000001 port-type(162) 4 Virtual
Terminal
*Mar 10 03:19:14.570: AAA/BIND(000015C7): Bind i/f
*Mar 10 03:19:14.570: AAA/ATTR(000015C7): new list: 0x451A1588
*Mar 10 03:19:14.574: AAA/ATTR(000015C7): add attr: 451A15A0 0 00000001 session-id(323) 4 5575(15C7)
*Mar 10 03:19:14.602: AAA/ATTR(000015C7): copy lists
*Mar 10 03:19:14.602: AAA/ATTR(000015C7): new list: 0x44E5678C old list: 451A04E8
*Mar 10 03:19:14.602: AAA/ATTR(000015C7): new list: 0x4519D0DC
*Mar 10 03:19:14.602: AAA/ATTR(000015C7): add attr: 4519D0F4 0 0000000A username(352) 6 branch
*Mar 10 03:19:14.602: AAA/ATTR(000015C7): add attr: 4519D108 0 0000000A password(242) 5 63 69 73 63
6F
*Mar 10 03:19:14.602: AAA/ATTR(000015C7): add attr: 4519D11C 0 0000000A clid(28) 9 200.1.1.3
*Mar 10 03:19:14.602: AAA/ATTR(000015C7): cursor init: 44A15F78 4519D0DC none unknown

Page 15 of 26
*Mar 10 03:19:14.602: AAA/ATTR(000015C7): find: 4519D0F4 0 0000000A username(352) 6 branch
*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D130 0 00000009 tunnel-password(343) 5 63 69
73 63 6F
*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D144 0 0000000A default-domain(571) 9
cisco.com
*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D158 0 0000000A addr-pool(9) 7 dynpool
*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D16C 0 0000000A inacl(101) 3 150
*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D180 0 0000000A dns-servers(44) 15 0.0.0.0
0.0.0.0
*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D194 0 0000000A wins-servers(370) 15 0.0.0.0
0.0.0.0
*Mar 10 03:19:14.606: AAA/ATTR(00000000): add attr: 4519D1A8 0 0000000A cpp-policy(580) 10
cpp-policy
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): new list: 0x4416B2F0 old list: 4519D0DC
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): cursor init: 44FE5238 4416B2F0 ike ipsec
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): find next matching service=ike, protocol=ipsec
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): username service:ike protocol:ipsec skip
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): password service:ike protocol:ipsec skip
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): clid service:ike protocol:ipsec skip
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): tunnel-password ok
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): default-domain ok
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): addr-pool ok
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): inacl ok
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): dns-servers ok
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): wins-servers ok
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): cpp-policy ok
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): not found
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): free all lists: 0x4519D0DC
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D0F4 0 0000000A username(352) 6 branch
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D108 0 0000000A password(242) 5 63 69 73 63
6F
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D11C 0 0000000A clid(28) 9 200.1.1.3
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D130 0 00000009 tunnel-password(343) 5 63 69
73 63 6F

Page 16 of 26
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D144 0 0000000A default-domain(571) 9
cisco.com
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D158 0 0000000A addr-pool(9) 7 dynpool
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D16C 0 0000000A inacl(101) 3 150
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D180 0 0000000A dns-servers(44) 15 0.0.0.0
0.0.0.0
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D194 0 0000000A wins-servers(370) 15 0.0.0.0
0.0.0.0
*Mar 10 03:19:14.606: AAA/ATTR(000015C7): del attr: 4519D1A8 0 0000000A cpp-policy(580) 10
cpp-policy
*Mar 10 03:19:14.610: AAA/ATTR(000015C7): free all lists: 0x44E5678C
*Mar 10 03:19:14.610: AAA/ATTR(000015C7): del attr: 44E567A4 0 00000001 port-type(162) 4 Virtual
Terminal
*Mar 10 03:19:14.634: AAA/ATTR(000015C8): new list: 0x451CDCC0
*Mar 10 03:19:14.634: AAA/ATTR(000015C8): cursor init: 44FE4E00 451CDCC0 none none
*Mar 10 03:19:14.634: AAA/ATTR(000015C8): find: port-type(162): not found
*Mar 10 03:19:14.634: AAA/ATTR(000015C8): add attr: 451CDCD8 0 00000001 port-type(162) 4 Virtual
Terminal
*Mar 10 03:19:14.634: AAA/ATTR(000015C8): find: interface(158): not found
*Mar 10 03:19:14.634: AAA/ATTR(000015C8): add attr: 451CDCEC 0 00000009 interface(158) 11
200.1.1.100
*Mar 10 03:19:14.634: AAA/BIND(000015C8): Bind i/f
*Mar 10 03:19:14.634: AAA/ATTR(000015C8): new list: 0x4519D0DC
*Mar 10 03:19:14.634: AAA/ATTR(000015C8): add attr: 4519D0F4 0 00000001 session-id(323) 4 5576(15C8)
*Mar 10 03:19:14.634: AAA/ATTR(000015C7): free all lists: 0x451A1588
*Mar 10 03:19:14.634: AAA/ATTR(000015C7): del attr: 451A15A0 0 00000001 session-id(323) 4 5575(15C7)
*Mar 10 03:19:14.634: AAA/ATTR(000015C7): free all lists: 0x451A04E8
*Mar 10 03:19:14.634: AAA/ATTR(000015C7): del attr: 451A0500 0 00000001 port-type(162) 4 Virtual
Terminal
*Mar 10 03:19:29.494: AAA/AUTHEN/LOGIN (000015C8): Pick method list 'USERAUTH'
*Mar 10 03:19:29.494: AAA/ATTR(000015C8): new list: 0x451A1588 old list: 451CDCC0
*Mar 10 03:19:29.498: AAA/ATTR(000015C8): new list: 0x446DAF60
*Mar 10 03:19:29.498: AAA/ATTR(000015C8): add attr: 446DAF78 0 0000000A username(352) 8 vpnuser1
*Mar 10 03:19:29.498: AAA/ATTR(000015C8): add attr: 446DAF8C 0 0000000A password(242) 8 63 69 73 63
6F 31 32 33
*Mar 10 03:19:29.498: AAA/ATTR(000015C8): add attr: 446DAFA0 0 0000000A clid(28) 9 200.1.1.3
*Mar 10 03:19:29.498: AAA/ATTR(000015C8): cursor init: 445DE970 446DAF60 none unknown
*Mar 10 03:19:29.498: AAA/ATTR(000015C8): find: 446DAF8C 0 0000000A password(242) 8 63 69 73 63 6F
31 32 33
*Mar 10 03:19:29.498: AAA/ATTR(000015C8): delete attr: 446DAF60 00000000 1
*Mar 10 03:19:29.498: AAA/ATTR(000015C8): del attr: 446DAF8C 0 0000000A password(242) 8 63 69 73 63
6F 31 32 33

Page 17 of 26
*Mar 10 03:19:29.498: AAA/ATTR(000015C8): find: 446DAF78 0 0000000A username(352) 8 vpnuser1
*Mar 10 03:19:29.498: AAA/ATTR(000015C8): add attr: 446DAFB4 0 00000009 challenge(22) 16 19 AE DA 8A
5F FE F3 95 32 2D 74 AD 0A 01 8D FD
*Mar 10 03:19:29.498: AAA/ATTR(000015C8): add attr: 446DAFC8 0 00000001 id(23) 4 1(1)
*Mar 10 03:19:29.502: AAA/ATTR(000015C8): add attr: 446DAFDC 0 00000009 response(24) 49 66 5D 60 77
74 2C 11 55 1A 15 28 79 CA C0 51 70 00 00 00 00 00 00 00 00 94 D0 68 B2 8D 0B 6
*Mar 10 03:19:29.502: AAA/ATTR(000015C8): cursor init: 445DEA08 446DAF60 none unknown
*Mar 10 03:19:29.502: AAA/ATTR(000015C8): cursor init: 445DEA08 446DAF60 none unknown
*Mar 10 03:19:29.502: AAA/ATTR(000015C8): find: password(242): not found
*Mar 10 03:19:29.502: AAA/ATTR(000015C8): cursor init: 445DEAA0 446DAF60 none unknown
*Mar 10 03:19:29.502: AAA/ATTR(000015C8): cursor init: 445DE9A8 446DAF60 none none
*Mar 10 03:19:29.502: AAA/ATTR(000015C8): find next matching service=none, protocol=none
*Mar 10 03:19:29.502: AAA/ATTR(000015C8): username ok
*Mar 10 03:19:29.502: AAA/ATTR(000015C8): clid ok
*Mar 10 03:19:29.502: AAA/ATTR(000015C8): challenge ok
*Mar 10 03:19:29.502: AAA/ATTR(000015C8): id ok
*Mar 10 03:19:29.502: AAA/ATTR(000015C8): response ok
*Mar 10 03:19:29.502: AAA/ATTR(000015C8): cursor init: 445DE9A8 451A1588 none none
*Mar 10 03:19:29.502: AAA/ATTR(000015C8): port-type ok
*Mar 10 03:19:29.502: AAA/ATTR(000015C8): interface ok
*Mar 10 03:19:29.546: AAA/ATTR(000015C8): free all lists: 0x446DAF60
*Mar 10 03:19:29.546: AAA/ATTR(000015C8): del attr: 446DAF78 0 0000000A username(352) 8 vpnuser1
*Mar 10 03:19:29.546: AAA/ATTR(000015C8): del attr: 446DAF8C 0 0000000A password(242) 8 63 69 73 63
6F 31 32 33
*Mar 10 03:19:29.546: AAA/ATTR(000015C8): del attr: 446DAFA0 0 0000000A clid(28) 9 200.1.1.3
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 446DAFB4 0 00000009 challenge(22) 16 19 AE DA 8A
5F FE F3 95 32 2D 74 AD 0A 01 8D FD
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 446DAFC8 0 00000001 id(23) 4 1(1)
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 446DAFDC 0 00000009 response(24) 49 66 5D 60 77
74 2C 11 55 1A 15 28 79 CA C0 51 70 00 00 00 00 00 00 00 00 94 D0 68 B2 8D 0B 6
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): new list: 0x446DAF60

Page 18 of 26
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): cursor init: 4519FE70 446DAF60 none none
*Mar 10 03:19:29.550: AAA/ATTR(00000000): add attr: 446DAF78 0 00000009 MS-CHAP-Error(489) 14 01 45
3D 36 34 38 20 52 3D 30 20 56 3D 33
*Mar 10 03:19:29.550: AAA/ATTR(00000000): add attr: 446DAF8C 0 00000009 reply-message(203) 10
Rejected
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): cursor init: 4519FDC8 446DAF60 none unknown

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): find: mschap-v2-success(513): not found
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): find: 446DAF78 0 00000009 MS-CHAP-Error(489) 14 01 45 3D
36 34 38 20 52 3D 30 20 56 3D 33
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): add attr: 446DAFA0 0 00000009 reply-message(203) 14 E=648
R=0 V=3
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): cursor init: 44FE5288 446DAF60 ike ipsec
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): find: 446DAF8C 0 00000009 reply-message(203) 10 Rejected
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): delete attr: 446DAF60 00000000 1

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 446DAF8C 0 00000009 reply-message(203) 10
Rejected
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): free all lists: 0x446DAF60

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 446DAF78 0 00000009 MS-CHAP-Error(489) 14 01 45
3D 36 34 38 20 52 3D 30 20 56 3D 33
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 446DAF8C 0 00000009 reply-message(203) 10
Rejected
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 446DAFA0 0 00000009 reply-message(203) 14 E=648

R=0 V=3
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): free all lists: 0x451A1588
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 451A15A0 0 00000001 port-type(162) 4 Virtual
Terminal
*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 451A15B4 0 00000009 interface(158) 11
200.1.1.100
*Mar 10 04:14:12.386: AAA/AUTHEN/LOGIN (000015DC): Pick method list 'USERAUTH'
*Mar 10 04:14:12.386: AAA/ATTR(000015DC): copy lists
*Mar 10 04:14:12.386: AAA/ATTR(000015DC): new list: 0x44E1BC8C old list: 44E8D658
*Mar 10 04:14:12.386: AAA/ATTR(000015DC): new list: 0x446DAC48
*Mar 10 04:14:12.386: AAA/ATTR(000015DC): add attr: 446DAC60 0 0000000A username(352) 8 vpnuser1
*Mar 10 04:14:12.386: AAA/ATTR(000015DC): add attr: 446DAC74 0 0000000A password
(242) 8 63 69 73 63 6F 31 32 33
*Mar 10 04:14:12.386: AAA/ATTR(000015DC): add attr: 446DAC88 0 0000000A clid(28) 9 200.1.1.3
*Mar 10 04:14:12.386: AAA/ATTR(000015DC): cursor init: 445DE970 446DAC48 none unknown
*Mar 10 04:14:12.386: AAA/ATTR(000015DC): find: 446DAC74 0 0000000A password(242) 8 63 69 73 63 6F
31 32 33

Page 19 of 26
*Mar 10 04:14:12.386: AAA/ATTR(000015DC): delete attr: 446DAC48 00000000 1
*Mar 10 04:14:12.386: AAA/ATTR(000015DC): del attr: 446DAC74 0 0000000A password(242) 8 63 69 73 63
6F 31 32 33
*Mar 10 04:14:12.386: AAA/ATTR(000015DC): free all lists: 0x446DAC48
*Mar 10 04:14:12.386: AAA/ATTR(000015DC): del attr: 446DAC60 0 0000000A username(352) 8 vpnuser1
6F 31 32 33
*Mar 10 04:14:12.386: AAA/ATTR(000015DC): del attr: 446DAC88 0 0000000A clid(28) 9 200.1.1.3
*Mar 10 04:14:12.390: AAA/ATTR(000015DC): add attr: 446DAC60 0 00000009 username(352) 8 vpnuser1
*Mar 10 04:14:12.390: AAA/ATTR(000015DC): add attr: 446DAC74 0 00000009 challeng
e(22) 16 AF B4 3E A6 B0 1F 63 F7 FC E3 2B E6 7C 30 E8 BC
*Mar 10 04:14:12.394: AAA/ATTR(000015DC): add attr: 446DAC88 0 00000009 MS-CHAP-
CPW-2(514) 67 01 42 97 6F 67 F7 AC A3 1C 37 98 0B 71 CF B9 25 C5 98 12 5A BF F7
07 14 2C 45 C0 24 C
*Mar 10 04:14:12.394: AAA/ATTR(000015DC): add attr: 446DAC9C 0 00000009 MS-CHAP-
NT-Enc-PW1(490) 175 01 00 01 C3 83 9E EC 48 E7 BF C7 4C CA 4A D9 2B 5C 11 8D 9A
22 8B 20 0E 3A 67 A
*Mar 10 04:14:12.394: AAA/ATTR(000015DC): add attr: 446DACB0 0 00000009 MS-CHAP-
NT-Enc-PW2(491) 175 01 00 02 74 57 58 0D BB DB 1A 34 71 E2 EE 43 12 A5 2A 17 19
E6 41 FD 13 42 F5 4
*Mar 10 04:14:12.394: AAA/ATTR(000015DC): add attr: 446DACC4 0 00000009 MS-CHAP-
NT-Enc-PW3(492) 175 01 00 03 9F 44 EC D1 00 F1 C0 E9 67 41 99 09 1E E7 09 C4 3E
00 80 EC 5B F3 02 3
*Mar 10 04:14:12.394: AAA/ATTR(000015DC): cursor init: 445DEA08 446DAC48 none unknown
*Mar 10 04:14:12.394: AAA/ATTR(000015DC): find: 446DAC60 0 00000009 username(352) 8 vpnuser1
*Mar 10 04:14:12.394: AAA/ATTR(000015DC): cursor init: 445DEA08 446DAC48 none unknown
*Mar 10 04:14:12.394: AAA/ATTR(000015DC): find: password(242): not found
*Mar 10 04:14:12.394: AAA/ATTR(000015DC): cursor init: 445DEAA0 446DAC48 none unknown
*Mar 10 04:14:12.394: AAA/ATTR(000015DC): find: 446DAC60 0 00000009 username(352) 8 vpnuser1
*Mar 10 04:14:12.394: AAA/ATTR(000015DC): cursor init: 445DE9A8 446DAC48 none none
*Mar 10 04:14:12.394: AAA/ATTR(000015DC): find next matching service=none, protocol=none
*Mar 10 04:14:12.398: AAA/ATTR(000015DC): username ok
*Mar 10 04:14:12.398: AAA/ATTR(000015DC): challenge ok
*Mar 10 04:14:12.398: AAA/ATTR(000015DC): MS-CHAP-CPW-2 ok
*Mar 10 04:14:12.398: AAA/ATTR(000015DC): MS-CHAP-NT-Enc-PW1 ok

Page 20 of 26
*Mar 10 04:14:12.398: AAA/ATTR(000015DC): not found
*Mar 10 04:14:12.398: AAA/ATTR(000015DC): cursor init: 445DE9A8 44E1BC8C none none
*Mar 10 04:14:12.398: AAA/ATTR(000015DC): port-type ok
*Mar 10 04:14:12.398: AAA/ATTR(000015DC): interface ok
*Mar 10 04:14:12.486: AAA/ATTR(000015DC): del attr: 446DAC60 0 00000009 username(352) 8 vpnuser1
*Mar 10 04:14:12.486: AAA/ATTR(000015DC): del attr: 446DAC74 0 00000009 challeng
e(22) 16 AF B4 3E A6 B0 1F 63 F7 FC E3 2B E6 7C 30 E8 BC
*Mar 10 04:14:12.486: AAA/ATTR(000015DC): del attr: 446DAC88 0 00000009 MS-CHAP-
CPW-2(514) 67 01 42 97 6F 67 F7 AC A3 1C 37 98 0B 71 CF B9 25 C5 98 12 5A BF F7
07 14 2C 45 C0 24 C
*Mar 10 04:14:12.486: AAA/ATTR(000015DC): del attr: 446DAC9C 0 00000009 MS-CHAP-
NT-Enc-PW1(490) 175 01 00 01 C3 83 9E EC 48 E7 BF C7 4C CA 4A D9 2B 5C 11 8D 9A
22 8B 20 0E 3A 67 A
*Mar 10 04:14:12.486: AAA/ATTR(000015DC): del attr: 446DACB0 0 00000009 MS-CHAP-
NT-Enc-PW2(491) 175 01 00 02 74 57 58 0D BB DB 1A 34 71 E2 EE 43 12 A5 2A 17 19
E6 41 FD 13 42 F5 4
*Mar 10 04:14:12.486: AAA/ATTR(000015DC): del attr: 446DACC4 0 00000009 MS-CHAP-
NT-Enc-PW3(492) 175 01 00 03 9F 44 EC D1 00 F1 C0 E9 67 41 99 09 1E E7 09 C4 3E
00 80 EC 5B F3 02 3
*Mar 10 04:14:12.486: AAA/ATTR(000015DC): cursor init: 4519FE70 446DAC48 none none
*Mar 10 04:14:12.486: AAA/ATTR(00000000): add attr: 446DAC60 0 00000009 mschap-v
2-success(513) 43 •S=1E0C11C3E724FB4FD2F5DFA20407F1ABCC8D4728
S=1E0C11C3E724FB4FD2F5DFA20407F1ABCC8D4728
*Mar 10 04:14:12.486: AAA/ATTR(00000000): add attr: 446DAC74 0 00000001 addrv4(7) 4 255.255.255.255
*Mar 10 04:14:12.486: AAA/ATTR(000015DC): new list: 0x44EA1950
*Mar 10 04:14:12.486: AAA/ATTR(000015DC): new list: 0x451C5360
*Mar 10 04:14:12.486: AAA/ATTR(000015DC): cursor init: 4519FDB0 451C5360 none none
*Mar 10 04:14:12.486: AAA/ATTR(00000000): add attr: 451C5378 0 00000009 class(30
1) 28 43 49 53 43 4F 41 43 53 3A 30 30 30 31 32 39 30 35 2F 61 63 31 33 64 39 36
30 2F 31
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): cursor init: 4519FDC8 446DAC48 none unknown
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): find: 446DAC60 0 00000009 mschap-v2-su
ccess(513) 43 •S=1E0C11C3E724FB4FD2F5DFA20407F1ABCC8D4728
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): add attr: 446DAC88 0 00000009 reply-me
ssage(203) 43 S=1E0C11C3E724FB4FD2F5DFA20407F1ABCC8D4728

Page 21 of 26
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): free all lists: 0x451C4970
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C4988 0 0000000A username(352) 6 branch
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C499C 0 0000000A password(242) 5 63 69 73 63
6F
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C49B0 0 0000000A clid(28) 9 200.1.1.3
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C49C4 0 00000009 tunnel-password(343) 5 63 69
73 63 6F
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C49D8 0 0000000A default-domain(571) 9
cisco.com
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C49EC 0 0000000A addr-pool(9) 7 dynpool
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C4A00 0 0000000A inacl(101) 3 150
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C4A14 0 0000000A dns-servers(44) 15 0.0.0.0
0.0.0.0
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C4A28 0 0000000A wins-servers(370) 15 0.0.0.0
0.0.0.0
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 451C4A3C 0 0000000A cpp-policy(580) 10
cpp-policy
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): new list: 0x451C4970 old list: 446DAC48
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): cursor init: 44FE5210 451C4970 ike ipsec
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): find next matching service=ike, protocol=ipsec
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): mschap-v2-success skip
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): addrv4 ok
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): reply-message skip
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 446DAC60 0 00000009 mschap-v
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 446DAC74 0 00000001 addrv4(7) 4 255.255.255.255
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 446DAC88 0 00000009 reply-me
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): free all lists: 0x44E1BC8C
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 44E1BCA4 0 00000001 port-type(162) 4 Virtual
Terminal
*Mar 10 04:14:12.490: AAA/ATTR(000015DC): del attr: 44E1BCB8 0 00000009 interface(158) 11
200.1.1.100
*Mar 10 04:14:12.638: AAA/ATTR(000015DC): new list: 0x44E1BC8C old list: 44E8D658
*Mar 10 04:14:12.638: AAA/ATTR(000015DC): add attr: 446DAC60 0 0000000A username(352) 6 branch
*Mar 10 04:14:12.638: AAA/ATTR(000015DC): add attr: 446DAC74 0 0000000A password(242) 5 63 69 73 63
6F

Page 22 of 26
*Mar 10 04:14:12.638: AAA/ATTR(000015DC): add attr: 446DAC88 0 0000000A clid(28) 9 200.1.1.3
*Mar 10 04:14:12.638: AAA/ATTR(000015DC): add attr: 446DAC9C 0 00000002 port-type(162) 4 Virtual
Terminal
*Mar 10 04:14:12.638: AAA/ATTR(000015DC): cursor init: 44A15F78 446DAC48 none unknown
*Mar 10 04:14:12.638: AAA/ATTR(000015DC): find: 446DAC60 0 0000000A username(352) 6 branch
*Mar 10 04:14:12.638: AAA/ATTR(00000000): add attr: 446DACB0 0 00000009 tunnel-password(343) 5 63 69
73 63 6F
*Mar 10 04:14:12.638: AAA/ATTR(00000000): add attr: 446DACC4 0 0000000A default-domain(571) 9
cisco.com
*Mar 10 04:14:12.638: AAA/ATTR(00000000): add attr: 446DACD8 0 0000000A addr-pool(9) 7 dynpool
*Mar 10 04:14:12.638: AAA/ATTR(00000000): add attr: 446DACEC 0 0000000A inacl(101) 3 150
*Mar 10 04:14:12.638: AAA/ATTR(00000000): add attr: 446DAD00 0 0000000A dns-servers(44) 15 0.0.0.0
0.0.0.0
*Mar 10 04:14:12.638: AAA/ATTR(00000000): add attr: 446DAD14 0 0000000A wins-servers(370) 15 0.0.0.0
0.0.0.0
*Mar 10 04:14:12.638: AAA/ATTR(00000000): add attr: 446DAD28 0 0000000A cpp-policy(580) 10
cpp-policy
*Mar 10 04:14:12.638: AAA/ATTR(000015DC): free all lists: 0x451C4970
*Mar 10 04:14:12.638: AAA/ATTR(000015DC): del attr: 451C4988 0 00000009 mschap-v
*Mar 10 04:14:12.638: AAA/ATTR(000015DC): del attr: 451C499C 0 00000001 addrv4(7) 4 255.255.255.255
*Mar 10 04:14:12.638: AAA/ATTR(000015DC): del attr: 451C49B0 0 00000009 reply-me
*Mar 10 04:14:12.638: AAA/ATTR(000015DC): new list: 0x451C4970 old list: 446DAC48
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): cursor init: 44FE5220 451C4970 ike ipsec
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): username service:ike protocol:ipsec skip
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): password service:ike protocol:ipsec skip
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): clid service:ike protocol:ipsec skip
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): port-type service:ike protocol:ipsecskip
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): tunnel-password ok
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): default-domain ok
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): addr-pool ok
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): inacl ok
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): dns-servers ok
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): wins-servers ok

Page 23 of 26
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): cpp-policy ok
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DAC60 0 0000000A username(352) 6 branch
6F
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DAC88 0 0000000A clid(28) 9 200.1.1.3
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DAC9C 0 00000002 port-type(162) 4 Virtual
Terminal
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DACB0 0 00000009 tunnel-password(343) 5 63 69
73 63 6F
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DACC4 0 0000000A default-domain(571) 9
cisco.com
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DACD8 0 0000000A addr-pool(9) 7 dynpool
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DACEC 0 0000000A inacl(101) 3 150
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DAD00 0 0000000A dns-servers(44) 15 0.0.0.0
0.0.0.0
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DAD14 0 0000000A wins-servers(370) 15 0.0.0.0
0.0.0.0
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 446DAD28 0 0000000A cpp-policy(580) 10
cpp-policy
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): free all lists: 0x44E1BC8C
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 44E1BCA4 0 00000001 port-type(162) 4 Virtual
Terminal
*Mar 10 04:14:12.642: AAA/ATTR(000015DC): del attr: 44E1BCB8 0 00000009 interface(158) 11
200.1.1.100

Page 24 of 26
Corporate Headquarters European Headquarters Americas Headquarters Asia Pacific Headquarters
Cisco Systems, Inc. Cisco Systems International BV Cisco Systems, Inc. Cisco Systems, Inc.
170 West Tasman Drive Haarlerbergpark 170 West Tasman Drive 168 Robinson Road
San Jose, CA 95134-1706 Haarlerbergweg 13-19 San Jose, CA 95134-1706 #28-01 Capital Tower
USA 1101 CH Amsterdam USA Singapore 068912
www.cisco.com The Netherlands www.cisco.com www.cisco.com
Tel: 408 526-4000 www-europe.cisco.com Tel: 408 526-7660 Tel: +65 6317 7777
800 553-NETS (6387) Tel: 31 0 20 357 1000 Fax: 408 527-0883 Fax: +65 6317 7799
Fax: 408 526-4100 Fax: 31 0 20 357 1100
Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on
the Cisco Website at www.cisco.com/go/offices.
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus
Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel
Italy • Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal
Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan
Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe
Copyright  2006 Cisco Systems, Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.;
Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP, CCIE,
CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net
Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect,
RateMUX, ScriptShare, SlideCast, SMARTnet, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in
the United States and certain other countries.
All other trademarks mentioned in this document or Website are

© the property
2006 Cisco of Systems,
their respective
Inc.owners. The use
All rights of the word partner does not imply a partnership relationship between
reserved.
Cisco and any other company. (0601R) notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Important
Printed in the USA
Page 25 of 26 C11-345535-00 04/06
Page 26 of 26

AAA Password Expiry in Cisco IOS EasyVPN

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AAA Password Expiry in Cisco IOS EasyVPN

Uploaded by

Copyright:

Available Formats

Configuration Guide

AAA Password Expiry in Cisco IOS EasyVPN

Figure 1. Network Setup

CONFIGURE CISCO EASY VPN WITH PASSWORD EXPIRY FEATURE

Step 2. If you use the <server-group-name> option, configure the following:

The list name maps to the list in point 1.

© 2006 Cisco Systems, Inc. All rights reserved.

© 2006 Cisco Systems, Inc. All rights reserved.

© 2006 Cisco Systems, Inc. All rights reserved.

Cisco 2821 Integrated Services Router Configuration Using DVTI

© 2006 Cisco Systems, Inc. All rights reserved.

© 2006 Cisco Systems, Inc. All rights reserved.

© 2006 Cisco Systems, Inc. All rights reserved.

© 2006 Cisco Systems, Inc. All rights reserved.

Figure 2. AAA Client Configuration

© 2006 Cisco Systems, Inc. All rights reserved.

Figure 3. Defining External User Database

© 2006 Cisco Systems, Inc. All rights reserved.

© 2006 Cisco Systems, Inc. All rights reserved.

Figure 5. User Setup

© 2006 Cisco Systems, Inc. All rights reserved.

Figure 6. Active Directory User Configuration—Remote Access Permission

Figure 7. Active Directory User Configuration—Account Options

© 2006 Cisco Systems, Inc. All rights reserved.

Step 1. Launch the Cisco VPN Client (Figure 8).

Figure 8. Cisco VPN Client

Figure 9. User Authentication

Figure 10. Change Password

© 2006 Cisco Systems, Inc. All rights reserved.

• • debug aaa authentication

*Mar 10 03:19:14.570: AAA/ATTR(000015C7): new list: 0x451A04E8

© 2006 Cisco Systems, Inc. All rights reserved.

© 2006 Cisco Systems, Inc. All rights reserved.

© 2006 Cisco Systems, Inc. All rights reserved.

© 2006 Cisco Systems, Inc. All rights reserved.

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): cursor init: 4519FDC8 446DAF60 none unknown

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): delete attr: 446DAF60 00000000 1

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): free all lists: 0x446DAF60

*Mar 10 03:19:29.550: AAA/ATTR(000015C8): del attr: 446DAFA0 0 00000009 reply-message(203) 14 E=648

© 2006 Cisco Systems, Inc. All rights reserved.

© 2006 Cisco Systems, Inc. All rights reserved.

© 2006 Cisco Systems, Inc. All rights reserved.

© 2006 Cisco Systems, Inc. All rights reserved.

© 2006 Cisco Systems, Inc. All rights reserved.

© 2006 Cisco Systems, Inc. All rights reserved.

All other trademarks mentioned in this document or Website are

You might also like