Tag Archives: ldap

Cisco ASA VPN LDAP Password Management

If you wish to enable password management for LDAP on a Cisco ASA VPN profile, there are certain requirements to be met.

  1. LDAP over SSL must be enabled for the aaa-server group.  Issue the command: ldap-over-ssl enable on the aaa-server host properties.
  2. The domain controller(s) that you are authenticating to must support LDAPS. You can accomplish this by installing Certificate Services on the domain controller and rebooting it. Once that is done, it will accept LDAPS queries.
  3. You must enable the command password-management on the tunnel-group for the VPN.
  4. Optionally, you can use option  password-expire-in-days <# of days> under password-management to notify users that their password will be expiring. If you do not specify that, users will not be notified but will still be able to change their password once it expires.
See the below commands for an example of a full configuration.
aaa-server MyLDAP protocol ldap
aaa-server MyLDAP (inside) host 10.1.1.20
 ldap-base-dn DC=My, DC=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=ASA VPN, CN=Users, DC=My, DC=com
 ldap-over-ssl enable
 server-type microsoft


tunnel-group Myvpn-LDAP general-attributes
 address-pool ippool2
 authentication-server-group MyLDAP
 default-group-policy Myvpn-AD
 password-management password-expire-in-days 3