Cisco VPN Radius with expiry & Windows domain password expiration

Alan DeKok aland at deployingradius.com
Sun Oct 12 09:16:27 CEST 2008


kesm0724 wrote:
> Is there anything special (ntlm_auth, ldap_attr,etc) that I need to configure
> for FreeRadius to recognize that an active directory account has expired and
> the user needs to be prompted to change his/her password?

  The server doesn't support "change password" requests.  The MS-CHAP
extensions are undocumented && Microsoft proprietary.  Even if
FreeRADIUS implemented them, Samba would need to implement them, too.

>  I am not even
> receiving the "user needs to change password" dialogue box from the Cisco
> VPN client.

  I'm not even sure it's possible to do that without using undocumented
Microsoft extensions.  You could try adding a Reply-Message attribute,
and maybe the VPN will show them to the user.  Or maybe not.  It's up to
the VPN if it shows messages, and many don't.

  Alan DeKok.



More information about the Freeradius-Users mailing list