Password with Expiry

[OTPUser]

Hi,

Using latest version of OpenOTP with AD integration and Cisco ASA with AnyConnect client.  I want to be able to pass password expiration to the AnyConnect client, preferably a warning that their password will expire in X days, and at the very least, have the user be prompted to change their password when it does expire.

I can't find anywhere in the RadiusBridge documentation or within radiusd.conf where this can be enabled/configured, nor anywhere within WebADM.  

I saw a post from 2013 that OpenOTP can't pass back the expiry information.  1) is that still true and if so are there plans to address that?  2) if not true, can someone point me to directions on how to set this up?  Is there a workaround that someone has been able to put together?  

Password with Expiry and being able to support password rotation is pretty common.

Thanks

- OTP User 

[Spyridon Gouliarmis (RCDevs)]

Hi,

On Sunday, March 20, 2016 at 12:59:54 AM UTC+1, OTPUser wrote:

Hi,

Using latest version of OpenOTP with AD integration and Cisco ASA with AnyConnect client.  I want to be able to pass password expiration to the AnyConnect client, preferably a warning that their password will expire in X days, and at the very least, have the user be prompted to change their password when it does expire.

The "will expire soon" warning might be doable; we'll give it a try in the case of AD. Having the user prompted to change their password is problematic: at that point we only have one factor (the OTP) to believe the right user is trying to log in. Instant drop in security, unless we can make sure the expired password that was just provided was the right one. We're less confident we can do that.

 

I can't find anywhere in the RadiusBridge documentation or within radiusd.conf where this can be enabled/configured, nor anywhere within WebADM.  

I saw a post from 2013 that OpenOTP can't pass back the expiry information.  1) is that still true and if so are there plans to address that?  2) if not true, can someone point me to directions on how to set this up?  Is there a workaround that someone has been able to put together? 

1) yes, and yes since just now

2) you can change the "password expired" message to include a link to an internal URL where you expose our PwReset app. That's in the OpenOTP settings, under the Applications tab.

 

Password with Expiry and being able to support password rotation is pretty common.

Any product you can point us to helps. We might have missed an obvious way to do it.

 

Thanks

- OTP User 

[OTPUser]

Thanks Spyridon.

I understand how this could circumvent security.  A friend of mine uses SecureAuth and they first prompt you for the username only, then the OTP, then your domain password.  So if you're within 8-10 days of your password expiring, or your password has expired, you're already authenticated via OTP first - then you are prompted to put in your new username and password.  Since you need to put in your old password, you've been authenticated twice (OTP and old password) prior to changing.  Not sure if this is something that could be done here.