Options

Password Expiration

burbankmarcburbankmarc Member Posts: 460
in CCNP Security
Does anyone have a workaround for AD password expiration for VPN users? So far we've just been manually changing passwords, which works for our current amount of users. Soon, though, we'll be ratcheting up our numbers and I can see this becoming a burden.

Any help is appreciated.
· Share on FacebookShare on Twitter

Comments

  • Options
    QHaloQHalo Member Posts: 1,488
    Are you talking about how they have cached credentials to login at home, and then require them to put in their updated password once they login to VPN? If that's the case, starting VPN prior to login has been the way we've resolved issues like these before. I believe there's an option with Cisco VPN to start the tunnel prior to machine login.

    Either that or Windows 7 and DirectAccess.
    http://vwilmo.wordpress.com

    · Share on FacebookShare on Twitter
  • Options
    burbankmarcburbankmarc Member Posts: 460
    Actually, these machines are NOT on the domain (by design). They do, however, log into the VPN using their domain credentials, which expire every couple of months. Once the password expires instead of being asked to create a new one, which is what happens locally, they just get refused their connection.
    · Share on FacebookShare on Twitter
  • Options
    jason_lundejason_lunde Member Posts: 567
    Do you use OWA at all? I know a bit off the beaten path, but we have Exchange 2007 and the OWA with that release has a way to change your windows password. Not the best option, but it is there.
    · Share on FacebookShare on Twitter
  • Options
    burbankmarcburbankmarc Member Posts: 460
    We do not. We're mostly a Unix shop, so almost all of our services are unix based.

    I think, what I'm going to do is make a script that runs after the VPN connects which checks how long until the user's password expires. If it's within 7 days I'll just have them change it.
    · Share on FacebookShare on Twitter
  • Options
    jason_lundejason_lunde Member Posts: 567
    burbankmarc wrote: »
    We do not. We're mostly a Unix shop, so almost all of our services are unix based.

    I think, what I'm going to do is make a script that runs after the VPN connects which checks how long until the user's password expires. If it's within 7 days I'll just have them change it.

    Sorry, I should have added that that's what our admin had done as well. Realized on the way in today that I should have added that, b/c they cant very well log onto OWA if their pw has already expired. We had the benefit of our computers being joined to a domain though, so it made it a tad easier. Hope it works out for you man, let us know.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.