You have configured the password management feature for a tunnel group on an ASA. The ASA is using a
Cisco Secure ACS RADIUS server for AAA authentication.
Which of the following actions will occur after a remote user with an expired password attempts to establish a VPN connection? (Select the best answer.)
- The AnyConnect client will display an authentication failed dialog box and will not permit the user to establish the VPN connection until an admin unlocks the user’s account.
- The AnyConnect client will display a dialog box that prompts the user for a new password.
- The AnyConnect client will display a dialog box that prompts the user for both their old password and a new password.
- The AnyConnect client will display a dialog box notifying the user that their password has expired but will permit the user to establish the VPN connection with the expired password.
In this scenario, the Cisco AnyConnect virtual private network (VPN) client will display a dialog box that prompts the user for a new password after a remote user with an expired password attempts to establish a VPN connection. When a Cisco Adaptive Security Appliance (ASA) is configured to use the password management feature for a particular tunnel group, the ASA will use Microsoft Challenge Handshake
Authentication Protocol version 2 (MSCHAPv2) rather than Password Authentication Protocol (PAP) when communicating with the Remote Authentication DialIn User Service (RADIUS) server and the AnyConnect client. MSCHAPv2 supports password expiry and password change capabilities that are not inherently supported by PAP or RADIUS. This enables the ASA to understand RadiusReject messages with password expiry information instead of simply treating the messages as authentication failure messages. When the ASA receives the RadiusReject message with password expiry information, it sends a MODE_CFG message to the AnyConnect VPN client, causing it to display a dialog box that prompts the user for a new password. The ASA then forwards the new password to the RADIUS server, and if the new password meets the configured password requirements, the user is authenticated and the ASA can finish establishing the VPN connection.
The AnyConnect client will not prevent the user from establishing a VPN connection until an administrator unlocks the user’s account. Because the password management feature is enabled on the ASA, it has the capability to prompt the user to update their expired password. However, if the password management feature was not enabled on the ASA in this scenario, then RadiusReject messages received from the RADIUS server would be interpreted as an authentication failure message and users with expired passwords would be unable to establish VPN connections.
The AnyConnect client will not prompt the user for both their old password and a new password nor will it permit the user to establish the VPN connection with an expired password.