Cisco AnyConnect – Allow Domain Password Change via LDAP

KB ID 0001273 

Problem

 

If you have remote users who connect via VPN, and a policy that forces them to change their password periodically, this can result in them getting locked out without the ability to change their password (externally).

If your Cisco ASA is using LDAP to authenticate your users, then you can use your remote AnyConnect VPN solution to let them reset their passwords remotely.

Solution

Standard LDAP runs over TCP port 389, to allow the ASA to reset the password for the users, it needs to be connected via LDAPS ((TCP Port 636). Your AD server needs to be able to authenticate via LDAPS, by default it will not. I’ve already covered how to set that up in another post see the following article.

Windows Server 2012 – Enable LDAPS

So, assuming your AD server(s) that the Cisco ASA is authenticating against is already setup, you need to ensure that your AAA Settings for LDAP is set to use port 636.

Enable LDAPS via Command Line

On my test network I only have one LDAP server in my LDAP AAA group, you may need to repeat this procedure for each one in yours.

[box]

Petes-ASA(config)# aaa-server TEST-LDAP-SERVER (inside) host 192.168.110.10
Petes-ASA(config-aaa-server-host)# server-port 636

[/box]

Enable LDAPS From within the ASDM

Log into the ADSM  > Configuration > Device Management > Users/AAA  > Select the LDAP Server Group > Select the Server > Edit > Enable LDAP over SSL > Server Port = 636.

Note: If you attempt to reset a user password without LDAPS, then you will see the following error;

Unwilling to perform password change

Next you need to edit the AnyConnect connection profile to allow password resets. Or the tunnel-group if you work at command line.

Allow Password Reset via Command Line

[box]

Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
Petes-ASA(config-tunnel-general)# password-management password-expire-in-days 3

[/box]

Allow Password Reset via ASDM

Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Connection Profile > Select the one for AnyConnect > Edit > Advanced > General > Password Management > Enable Password Management > Select to notify user the amount of days before his/her password expires > OK > Apply > File > Save running configuration to flash.

Now your users have the ability to reset their password remotely as they are about to expire, and when they have expired.

If you want to test with a particular user you can set his password to ‘expired’ using the following procedure;

Reset an AD Users Password Expiry Date

Related Articles, References, Credits, or External Links

NA

Cisco VPN – Split Tunnel Not Working?

KB ID 0001239

Problem

Here I’m dealing with AnyConnect VPNs, but the principles are exactly the same for both remote IPSEC and L2TP VPNs. You connect to your VPN and can no longer browse the internet from your remote location. 

You can confirm that split-tunnelling is working or not by connecting with your VPN client and looking at the routing information.

Solution

Before proceeding are you sure Split-Tunnelling has ever been setup and configured? See the following article.

Cisco ASA – Enable Split Tunnel for IPSEC / SSLVPN / AnyConnect Clients

For Split Tunnelling to work you need;

  • An Access Control List, allowing the networks/IP’s that are protected by your ASA, that you need to access over the VPN.
  • A Group-policy that references the access-list above.
  • A Tunnel Group that references the Group-policy above.

The lines get a bit blurred if you are in the ASDM, in there the terminology, is access control list, group-policy, and connection profile.

Troubleshoot Split Tunnel From CLI

Connect and authenticate an AnyConnect client. Then on the firewall run the following command.

[box]

Petes-ASA# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : petelong               Index        : 4
Assigned IP  : 172.16.1.1             Public IP    : 192.168.100.77
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES256  DTLS-Tunnel: (1)AES256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 14128                  Bytes Rx     : 12305
Group Policy : GroupPolicy_ANYCONNECT-PROFILE
Tunnel Group : ANYCONNECT-PROFILE
Login Time   : 12:49:31 GMT/BST Mon Sep 19 2016
Duration     : 0h:01m:03s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a86e010000400057dfd0cb
Security Grp : none

Petes-ASA#

[/box]

From the output above, we know the name of the Group Policy and the Tunnel Group. The fact we can see BOTH is an indication that the tunnel group is setup correctly, but it does no harm to check.

[box]

Petes-ASA# show run tunnel-group ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
 address-pool ANYCONNECT-POOL
 default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
 group-alias ANYCONNECT-PROFILE enable
Petes-ASA#

[/box]

Then check that that group-policy has enabled split tunnelling, and referenced the correct access control list.

[box]

Petes-ASA# show run group-policy  GroupPolicy_ANYCONNECT-PROFILE
group-policy GroupPolicy_ANYCONNECT-PROFILE internal
group-policy GroupPolicy_ANYCONNECT-PROFILE attributes
 wins-server none
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 webvpn
  anyconnect profiles value testbench type user
Petes-ASA#

[/box]

Finally take the ACL name (SPLIT-TUNNEL) and make sure that’s OK.

[box]

Petes-ASA# show run access-list SPLIT-TUNNEL
access-list SPLIT-TUNNEL standard permit 192.168.110.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.115.0 255.255.255.0

[/box]

Troubleshoot Split Tunnel From ASDM

As above connect a remote AnyConnect client > Monitoring > VPN > VPN Statistics > Sessions > AnyConnect Client > Select your connected client > Details.

Note: The info we actually want, is shown on this screen, but let’s look at the session anyway.

Now you can see the Group Policy and Connection Profile thats been applied to this user.

Configuration > Remote Access VPN > AnyConnect Connection Profiles > Select the one shown above > Edit.

Check the Group-Policy is correct, (Note: You can manage it directly from here, but I will take the long way round).

Configuration > Remote Access VPN > Network (Client Access) > Group Policies > Select the one shown above > Edit.

Advanced > Split Tunneling > Ensure Policy is ‘untucked’ and set to ‘Tunnel Network List Below’ > Ensure Network list is ‘untucked’ and set to the name of your split tunnel ACL > Manage.

Make sure the network(s) or IP addresses behind your ASA, that you want to access over the VPN, are listed.

 

Related Articles, References, Credits, or External Links

Cisco ASA – Enable Split Tunnel for IPSEC / SSLVPN / AnyConnect Clients

Cisco ASA – Remote VPN Client Internet Access