72-14
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 72 Configuring Clientless SSL VPN
Configuring Application Helper
Close Message and Upload Image dialog boxes close, revealing the APCF Add/Edit pane. Otherwise,
click Cancel in the Close Message dialog box. The dialog box closes, revealing the Upload Image dialog
box again, with the values in the fields intact. Click Upload File.
Managing Passwords
Optionally, you can configure the ASA to warn end users when their passwords are about to expire.
The ASA supports password management for the RADIUS and LDAP protocols. It supports the
“password-expire-in-days” option for LDAP only.
You can configure password management for IPsec remote access and SSL VPN tunnel-groups.When
you configure password management, the ASA notifies the remote user at login that the user’s current
password is about to expire or has expired. The ASA then offers the user the opportunity to change the
password. If the current password has not yet expired, the user can still log in using that password.
This command is valid for AAA servers that support such notification.
The ASA, releases 7.1 and later, generally supports password management for the following connection
types when authenticating with LDAP or with any RADIUS configuration that supports MS-CHAPv2:
• AnyConnect VPN Client
• IPsec VPN Client
• Clientless SSL VPN
The RADIUS server (for example, Cisco ACS) could proxy the authentication request to another
authentication server. However, from the ASA perspective, it is talking only to a RADIUS server.
Prerequisites
• Native LDAP requires an SSL connection. You must enable LDAP over SSL before attempting to
do password management for LDAP. By default, LDAP uses port 636.
If you are using an LDAP directory server for authentication, password management is supported
with the Sun Microsystems JAVA System Directory Server (formerly named the Sun ONE Directory
Server) and the Microsoft Active Directory.
Sun—The DN configured on the ASA to access a Sun directory server must be able to access the
default password policy on that server. We recommend using the directory administrator, or a user
with directory administrator privileges, as the DN. Alternatively, you can place an ACI on the
default password policy.
Microsoft—You must configure LDAP over SSL to enable password management with Microsoft
Active Directory.Restrictions
• Some RADIUS servers that support MSCHAP currently do not support MSCHAPv2. This command
requires MSCHAPv2 so check with your vendor.
• Password management is not supported for any of these connection types for Kerberos/Active
Directory (Windows password) or NT 4.0 Domain.
• For LDAP, the method to change a password is proprietary for the different LDAP servers on the
market. Currently, the ASA implements the proprietary password management logic only for
Microsoft Active Directory and Sun LDAP servers.
• The ASA ignores this command if RADIUS or LDAP authentication has not been configured.