Cisco ASA SSL VPN for AnyConnect and expired AD passwords


We set up our ASA Anyconnect to use DUO for 2FA following these instructions - We use AD/LDAP as the primary authenticator.

This setup works fine but we have noticed that after implementing this configuration, users with upcoming expired passwords are not warned about the same. Also, once user passwords are expired, it renders this mode of connecting to VPN useless and requires an admin to reset their password on AD. This worked fine before implementing DUO for auth and 2FA. Am I missing something here? I have password management enabled on the connection profile on the ASA.

Thanks for any assistance!

PS - Reason we don’t want to use SAML for this is because we don’t want to maintain the DAG internally and plan on moving to Duo Cloud SSO for all cloud apps.

A Duo Authentication Proxy with a RADIUS + AD configuration does not support password reset.

The combinations that do support password reset through the proxy are:

  • RADIUS server + RADIUS client using MS-CHAPv2
  • LDAP server + LDAP client using LDAPS or STARTTLS

Read more about these configurations here: Does the Duo Authentication Proxy support in-line password resets?

If you’re thinking about Duo SSO, we have a named application for ASA AnyConnect already! Use SAML authentication with AnyConnect without needing to set up Duo Access Gateway on-premises. You can leverage the Duo proxy server you already have to configure AD authentication for Duo SSO.

@DuoKristina - Thanks for the response. Does the cloud based Duo SSO for Anyconnect option (link you provided) support password resets?

Yes, if your authentication source for Duo SSO is another SAML IdP that supports password reset.

No, if using the Authentication Proxy as the AD authentication source for Duo SSO.

If you’re interested in the latter please contact your Duo account exec or customer success manager if you have one, or Duo Support if you don’t, to submit your feature request for AD password reset with Duo SSO. The product team is in the discovery phase on this functionality so additional context from customers helps.

@DuoKristina - thanks again. Yes, we do use Auth Proxy as the auth source and will continue to do so. What message should I send to our account exec or support? Just, “hey, password resets with Duo SSO would be great”? :smiley:

Yep, pretty much! Just make it clear that you want to submit a feature request for it, so it gets entered into the right system.