AAA Password Expiry in Cisco IOS EasyVPN

Configuration Guide

This document highlights the steps to configure the RADIUS Password Expiry feature on Cisco IOS® Easy VPN Servers. The Cisco® Secure Access Control Server (ACS) configured for Microsoft Challenge Handshake Authentication Protocol 2 (MS-CHAP2) is used as the RADIUS server in this example (Password Authentication Protocol [PAP] is not supported for this feature). With this feature enabled, VPN users are prompted to change an expired Microsoft Windows password when they launch the Cisco VPN Client to connect to the Easy VPN Server.

CHALLENGE

Currently, Cisco IOS Easy VPN clients send the username and password values to the EasyVPN Server, which in turn sends them to the authentication, authorization, and accounting (AAA) subsystem. The AAA subsystem generates an authentication request to the RADIUS server. If the password has expired, then the RADIUS server replies back with an authentication failure. The reason for the failure is not passed back to AAA subsystem, so the user is denied access because of authentication failure but does not know that the failure is due to password expiry.

SOLUTION

The AAA Password Expiry infrastructure notifies the Easy VPN client that the password has expired, and provides a generic way for the user to change the password.

Note: The Password Expiry feature is not supported on the hardware client.

COMPONENTS USED

The information in this document is based on the following software and hardware versions:

• Cisco 2821 Integrated Services Router with Cisco IOS Software Release 12.4(6)T

• Cisco VPN Client Version 4.0.5

• Cisco Secure Access Control Server (ACS) Version 3.3 installed on a Windows 2000 server

Users in this document are defined in the Microsoft Windows 2000 Active Directory Server.

The information in this document was created from the devices in a specific lab environment. All devices used in this document started with a normal tunnel configuration, using either a cryptology map or Dynamic Virtual Tunnel Interface (DVTI). If your network is live, make sure that you understand the potential impact of any command.

NETWORK DIAGRAM

This document uses the network setup shown in Figure 1.

Figure 1. Network Setup

CONVENTIONS

For more information about document conventions, refer to the Cisco Technical Tips Conventions.

CONFIGURE CISCO EASY VPN WITH PASSWORD EXPIRY FEATURE

To configure AAA to perform a MS-CHAP2 style authentication, do the following:

Step 1. A new sub-option passwd-expiry is used to support the Password Expiry feature:

aaa authentication login <list-name> passwd-expiry group <server-group-name>|radius

Step 2. If you use the <server-group-name> option, configure the following:

aaa group server radius <server-group-name>

server <ip-addr>

or if you use the radius option, configure:

radius-server host <ip-addr> auth-port 1645 acct-port 1646 key <key-string>

Step 3. A client (for example, Crypto) can associate with AAA using:

crypto map <map-name> client authentication list <list-name>

The list name maps to the list in point 1.

Cisco 2821 Integrated Services Router Configuration Using Crypto Map

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname xinl-gateway

aaa new-model

aaa authentication login USERAUTH passwd-expiry group radius

aaa authorization network branch local

aaa session-id common

resource policy

ip cef

no ip domain lookup

ip domain name cisco.com

crypto pki trustpoint TP-self-signed-523425186

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-523425186

revocation-check none

rsakeypair TP-self-signed-523425186

crypto pki certificate chain TP-self-signed-523425186

certificate self-signed 01 nvram:IOS-Self-Sig#3601.cer

username cisco privilege 15 secret 5 $1$A3HU$bCWjlkrEztDJx6JJzSnMV1

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local dynpool

crypto isakmp client configuration group branch

key cisco

domain cisco.com

pool dynpool

crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac

crypto dynamic-map dynmap 1

set transform-set transform-1

reverse-route

crypto map dynmap client authentication list USERAUTH

crypto map dynmap isakmp authorization list branch

crypto map dynmap client configuration address respond

crypto map dynmap 1 ipsec-isakmp dynamic dynmap

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 200.1.1.100 255.255.255.0

duplex auto

speed auto

crypto map dynmap

interface GigabitEthernet0/1

description $ES_LAN$

ip address 172.19.217.96 255.255.255.0

duplex auto

speed auto

ip local pool dynpool 10.2.122.211 10.2.122.213

ip route 0.0.0.0 0.0.0.0 172.19.217.1

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

radius-server host 172.19.220.149 auth-port 1645 acct-port 1646 key cisco

radius-server vsa send authentication

control-plane

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

scheduler allocate 20000 1000

End

Cisco 2821 Integrated Services Router Configuration Using DVTI

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname xinl-gateway

aaa new-model

aaa authentication login USERAUTH passwd-expiry group radius

aaa authorization network branch local

aaa session-id common

resource policy

ip cef

no ip domain lookup

ip domain name cisco.com

crypto pki trustpoint TP-self-signed-523425186

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-523425186

revocation-check none

rsakeypair TP-self-signed-523425186

crypto pki certificate chain TP-self-signed-523425186

certificate self-signed 01 nvram:IOS-Self-Sig#3601.cer

username cisco privilege 15 secret 5 $1$A3HU$bCWjlkrEztDJx6JJzSnMV1

username user1 password 0 password1

policy-map FOO

class class-default

shape average 128000

crypto logging ezvpn

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group branch

key cisco

domain cisco.com

pool dynpool

acl 150

crypto isakmp profile vi

match identity group branch

client authentication list USERAUTH

isakmp authorization list branch

client configuration address respond

virtual-template 1

crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac

crypto ipsec profile vi

set transform-set transform-1

set isakmp-profile vi

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 200.1.1.100 255.255.255.0

duplex auto

speed auto

interface GigabitEthernet0/1

description $ES_LAN$

ip address 172.19.217.96 255.255.255.0

duplex auto

speed auto

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

tunnel source GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile vi

service-policy output FOO

ip local pool dynpool 10.2.122.211 10.2.122.213

ip route 0.0.0.0 0.0.0.0 172.19.217.1

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

radius-server host 172.19.220.149 auth-port 1645 acct-port 1646 key cisco

radius-server vsa send authentication

control-plane

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

scheduler allocate 20000 1000

end

Configure Cisco Secure ACS

Use the following procedure to configure Cisco Secure ACS:

Step 1. Define the Cisco 2800 Series router as an AAA client. Be sure to select RADIUS (Cisco IOS/PIX) as the authentication method. Refer to Figure 2.

Figure 2. AAA Client Configuration

Step 2. Define the external user database for Windows Active Directory users.

Be sure to check the Dialin Permission and MS-CHAP2 boxes, and enter the domain name for the Windows Active Directory server (Figures 3 and 4).

Figure 3. Defining External User Database

Figure 4. Defining External User Database (continue)

Step 3. Add the external user to the Cisco Secure ACS user database. It is a reference pointing to the Windows Active Directory database.

Be sure to select Windows Database as the Password Authentication type (Figure 5).

Figure 5. User Setup

Step 4. Define a VPN user on Windows Active Directory.

Note: Windows users must check Allow access under the Remote Access Permission under Dial-in tab (Figure 6) and check "User must change password at next logon" under the Account tab (Figure 7) in the user profile.

Figure 6. Active Directory User Configuration-Remote Access Permission

Figure 7. Active Directory User Configuration-Account Options

Verify

The following examples demonstrate how the RADIUS Password Expiry feature works when the Windows password expires. The VPN user is informed that the password has expired and prompted to enter a new one.

Step 1. Launch the Cisco VPN Client (Figure 8).

Figure 8. Cisco VPN Client

Step 2. Type your username and password to log in. Then click OK (Figure 9).

Figure 9. User Authentication

Step 3. When the Windows password expires, you will be prompted to change the password. Type a new password. Type again to confirm it, and click OK (Figure 10).

Figure 10. Change Password

Troubleshoot

Before examining the debug messages, consider the Microsoft vendor-specific attributes needed for understanding this feature. The following Microsoft attributes are generated or processed by AAA, for providing the password expiry support.

• MS-CHAP-Error-The MS-CHAP-Error attribute contains error data related to the preceding MS-CHAP exchange. This attribute can be used in MS-CHAP2; it is used only in Access-Reject packets.

• MS-CHAP2-CPW-This attribute allows users to change their password if it has expired. It is used only in conjunction with the MS-CHAP-NT-Enc-PW attribute in Access-Request packets, and should be included only if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is 3.

• MS-CHAP-NT-Enc-PW-This attribute contains the new Windows NT password encrypted with the old Windows NT password hash. The encrypted Windows NT password is 516 octets long. Because this is longer than the maximum length of a RADIUS attribute, the password must be split into several attributes for transmission. A 2-octet sequence number is included in the attribute to help preserve ordering of the password fragments. This attribute is used only in Access-Request packets, in conjunction with MS-CHAP-CPW-2 and MS-CHAP2-CPW attributes. It should be included only if an MS-CHAP-Error attribute was included in the immediately preceding Access-Reject packet, the String field of the MS-CHAP-Error attribute indicated that the user password had expired, and the MS-CHAP version is 2 or greater.

• MS-CHAP2-Response-This attribute contains the response value provided by an MS-CHAP2 peer in response to the challenge. It is used only in Access-Request packets.

• MS-CHAP2-Success-This attribute contains a 42-octet authenticator response string, which must be included in the message field of the MS-CHAP2 Success packet sent from the network access server to the peer. This attribute is used only in Access-Accept packets.

The following section shows the debug messages captured on the Cisco 2821 Integrated Services Router with Cisco IOS Software during a tunnel negotiation. Refer to the bold portions to see how AAA attributes are passed between the Cisco Secure ACS and the Cisco IOS Easy VPN Server to inform the VPN user that the password has expired, and take the new Windows password back from the VPN user to the Window user database.

Turn on the following debug commands on the Cisco 2821 Integrated Services Router:

• · debug aaa authentication

• · debug ppp authentication

• · debug aaa attributes

*Mar 10 03:19:14.570: AAA/ATTR(000015C7): new list: 0x451A04E8

*Mar 10 03:19:14.570: AAA/ATTR(000015C7): cursor init: 44FE4F78 451A04E8 none none

*Mar 10 03:19:14.570: AAA/ATTR(000015C7): find: port-type(162): not found

*Mar 10 03:19:14.570: AAA/ATTR(000015C7): add attr: 451A0500 0 00000001 port-type(162) 4 Virtual
Terminal

*Mar 10 03:19:14.570: AAA/BIND(000015C7): Bind i/f

*Mar 10 03:19:14.570: AAA/ATTR(000015C7): new list: 0x451A1588

*Mar 10 03:19:14.574: AAA/ATTR(000015C7): add attr: 451A15A0 0 00000001 session-id(323) 4 5575(15C7)

*Mar 10 03:19:14.602: AAA/ATTR(000015C7): copy lists

*Mar 10 03:19:14.602: AAA/ATTR(000015C7): new list: 0x44E5678C old list: 451A04E8

*Mar 10 03:19:14.602: AAA/ATTR(000015C7): new list: 0x4519D0DC

*Mar 10 03:19:14.602: AAA/ATTR(000015C7): add attr: 4519D0F4 0 0000000A username(352) 6 branch

*Mar 10 03:19:14.602: AAA/ATTR(000015C7): add attr: 4519D108 0 0000000A password(242) 5 63 69 73 63
6F

*Mar 10 03:19:14.602: AAA/ATTR(000015C7): add attr: 4519D11C 0 0000000A clid(28) 9 200.1.1.3

*Mar 10 03:19:14.602: AAA/ATTR(000015C7): cursor init: 44A15F78 4519D0DC none unknown

*Mar 10 03:19:14.602: AAA/ATTR(000015C7): find: 4519D0F4 0 0000000A username(352) 6 branch

*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D130 0 00000009 tunnel-password(343) 5 63 69
73 63 6F

*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D144 0 0000000A default-domain(571) 9
cisco.com

*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D158 0 0000000A addr-pool(9) 7 dynpool

*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D16C 0 0000000A inacl(101) 3 150

*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D180 0 0000000A dns-servers(44) 15 0.0.0.0
0.0.0.0

*Mar 10 03:19:14.602: AAA/ATTR(00000000): add attr: 4519D194 0 0000000A wins-servers(370) 15 0.0.0.0
0.0.0.0

*Mar 10 03:19:14.606: AAA/ATTR(00000000): add attr: 4519D1A8 0 0000000A cpp-policy(580) 10
cpp-policy

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): copy lists

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): new list: 0x4416B2F0 old list: 4519D0DC

*Mar 10 03:19:14.606: AAA/ATTR(000015C7): cursor init: 44FE5238 4416B2F0 ike ipsec