If you wish to enable password management for LDAP on a Cisco ASA VPN profile, there are certain requirements to be met.
- LDAP over SSL must be enabled for the aaa-server group. Issue the command: ldap-over-ssl enable on the aaa-server host properties.
- The domain controller(s) that you are authenticating to must support LDAPS. You can accomplish this by installing Certificate Services on the domain controller and rebooting it. Once that is done, it will accept LDAPS queries.
- You must enable the command password-management on the tunnel-group for the VPN.
- Optionally, you can use option password-expire-in-days <# of days> under password-management to notify users that their password will be expiring. If you do not specify that, users will not be notified but will still be able to change their password once it expires.
See the below commands for an example of a full configuration.
aaa-server MyLDAP protocol ldap aaa-server MyLDAP (inside) host 10.1.1.20 ldap-base-dn DC=My, DC=com ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ***** ldap-login-dn CN=ASA VPN, CN=Users, DC=My, DC=com ldap-over-ssl enable server-type microsoft tunnel-group Myvpn-LDAP general-attributes address-pool ippool2 authentication-server-group MyLDAP default-group-policy Myvpn-AD password-management password-expire-in-days 3