You have configured the password management feature for a tunnel group on an ASA. The ASA is using a
Cisco Secure ACS RADIUS server for AAA authentication.
Which of the following actions will occur after a remote user with an expired password attempts to establish a
VPN connection? (Select the best answer.)

A.
The AnyConnect client will display an authentication failed dialog box and will not permit the user to
establish the VPN connection until an admin unlocks the user’s account.

B.
The AnyConnect client will display a dialog box that prompts the user for a new password.

C.
The AnyConnect client will display a dialog box that prompts the user for both their old password and a new
password.

D.
The AnyConnect client will display a dialog box notifying the user that their password has expired but will
permit the user to establish the VPN connection with the expired password.

Explanation:
In this scenario, the Cisco AnyConnect virtual private network (VPN) client will display a dialog box that prompts
the user for a new password after a remote user with an expired password attempts to establish a VPN
connection. When a Cisco Adaptive Security Appliance (ASA) is configured to use the password management
feature for a particular tunnel group, the ASA will use Microsoft Challenge Handshake
Authentication Protocol version 2 (MSCHAPv2) rather than Password Authentication Protocol (PAP) when
communicating with the Remote Authentication DialIn User Service (RADIUS) server and the AnyConnect
client. MSCHAPv2 supports password expiry and password change capabilities that are not inherently
supported by PAP or RADIUS. This enables the ASA to understand RadiusReject messages with password
expiry information instead of simply treating the messages as authentication failure messages. When the ASA
receives the RadiusReject message with password expiry information, it sends a MODE_CFG message to the
AnyConnect VPN client, causing it to display a dialog box that prompts the user for a new password. The ASA
then forwards the new password to the RADIUS server, and if the new password meets the configured
password requirements, the user is authenticated and the ASA can finish establishing the VPN connection.
The AnyConnect client will not prevent the user from establishing a VPN connection until an administrator
unlocks the user’s account. Because the password management feature is enabled on the ASA, it has the
capability to prompt the user to update their expired password. However, if the password management feature
was not enabled on the ASA in this scenario, then RadiusReject messages received from the RADIUS server
would be interpreted as an authentication failure message and users with expired passwords would be unable
to establish VPN connections.
The AnyConnect client will not prompt the user for both their old password and a new password nor will it permit
the user to establish the VPN connection with an expired password.Reference:
Cisco: ASA Remote Access VPN IKE/SSL Password Expiry and Change for RADIUS, TACACS, and LDAP
Configuration Example: ASA with ACS via RADIUS