In this case study, we explore how to configure the password expiry feature with Cisco Secure ACS integrated with the Active Directory for VPN 3000 Concentrator. In this case study, assume that the CS ACS is sitting outside the concentrator, so a filter needs to allow UDP/1645 and UDP/1646 traffic for RADIUS to function correctly.
VPN 3000 Concentrator Configuration
Assume that everything other than Password expiry feature and the VPN 3000 Concentrator have been configured and that the VPN client was connecting without problems before configuring the password expiry feature.
Group Configuration on the VPN 3000 Concentrator
Follow the steps outlined here to configure the group:
To configure the group to accept the NT Password Expiration Parameters from the RADIUS Server, go to Configuration > User Management > Groups, select your group from the list, and click Modify Group. The example that follows shows how to modify a group named ipsecgroup.
Go to the IPsec tab and make sure that RADIUS with Expiry is selected for the Authentication attribute.
To enable this feature on the VPN 3002 Hardware Clients, go to the HW Client tab, be sure that Require Interactive Hardware Client Authentication is enabled, and then click Apply.
Defining the CS ACS RADIUS Server on VPN 3000 Concentrator
Follow the steps outlined here to configure the Radius Server on the VPN Concentrator:
To configure the CS ACS RADIUS server settings on the concentrator, go to Configuration > System > Servers > Authentication > Add.
On the Add screen, type in the values that correspond to the CS ACS RADIUS server and click Add. In your setup, you are using the following values:
Server Type: RADIUS Authentication Server: 10.1.1.40 Server Port = 0 (for default of 1645) Timeout = 4 Reties = 2 Server Secret = cisco123 Verify: cisco123
CS ACS Windows Configuration
Follow these steps to complete the configuration on the CS ACS Side:
AAA Client Definition for VPN 3000 Concentrator
Log in to CS ACS GUI and click Network Configuration in the left panel. Under AAA Clients, click Add Entry.
On the Add AAA Client screen, type the appropriate values to add the concentrator as the RADIUS (Cisco VPN 3000) client, and then click the Submit + Restart button.
An entry for your 3000 Concentrator displays under the AAA Clients section.
Configuring the Unknown User Policy for Windows NT/2000 Domain Authentication
To configure User Authentication on the RADIUS server as a part of the Unknown User Policy, follow these steps:
Click External User Database in the left panel, and then click the link for Database Configuration.
Under External User Database Configuration, click Windows NT/2000.
On the Database Configuration Creation screen, click Create New Configuration.
When prompted, type a name for the NT/2000 Authentication and click Submit.
Click Configure to configure the Domain Name for User Authentication.
Select your Windows/NT domain from the Available Domains, then click the right-arrow button to add it to the Domain List. Under MS-CHAP Settings, ensure that the options for Permit password changes using MS-CHAP version 1 and version 2 are selected. Click Submit when you are finished.
Click External User Database in the left panel, and then click the link for Database Group Mappings. You should see an entry for your previously configured external database.
On the Domain Configurations screen, click New configuration to add the domain configurations.
Select your domain from the list of Detected Domains and click Submit.
Click on your domain name to configure the group mappings.
Click Add mapping to define the group mappings.
On the Create New Group Mapping screen, map the group on the NT/Windows domain to a group on the CS ACS RADIUS server, and then click Submit.
Click External User Database in the left panel; then click the link for Unknown User Policy. Be sure that the option for Check the following external user database is selected. Click the right-arrow button to move the previously configured external database from the list of External Databases to the list of Selected Databases.
Testing the NT/RADIUS Password Expiration Feature
Before testing the password expiry, work through the steps that follow to be sure configuration is working for regular test authentication:
Go to Configuration > System > Servers > Authentication. Select your RADIUS server and click Test.
When prompted, type your NT/Windows domain user name and password, and then click OK.
If your authentication is set up properly, you should get a message stating Authentication Successful.
If you receive any message other than that shown in the preceding step, there is some configuration or connection problem. Repeat the configuration and testing steps outlined in this document to ensure that all settings were made properly. Also check the IP connectivity between your devices.
Now perform the actual test for password expiry as follows:
If the user is already defined on the domain server, modify the properties so that the user is prompted to change the password at the next login. Go to the Account tab of the user's properties dialog box, and select the option for User must change password at next logon. Then click OK.
Launch the VPN client, and then try to establish the tunnel to the concentrator.
During User Authentication, you should be prompted to change the password.