1-23
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring Connection Profiles, Group Policies, and Users
  Configuring Connection Profiles
If the server is an LDAP server, you can specify the number of days (0 through 180) before expiration 
to begin warning the user about the pending expiration:
hostname(config-tunnel-general)# password-management [password-expire in days n]
hostname(config-tunnel-general)# 
Note The password-management command, entered in tunnel-group general-attributes 
configuration mode replaces the deprecated radius-with-expiry command that was formerly 
entered in tunnel-group ipsec-attributes mode.
When you configure this command, the ASA notifies the remote user at login that the user’s current 
password is about to expire or has expired. The ASA then offers the user the opportunity to change the 
password. If the current password has not yet expired, the user can still log in using that password. The 
ASA ignores this command if RADIUS or LDAP authentication has not been configured.
Note that this does not change the number of days before the password expires, but rather, the number 
of days ahead of expiration that the ASA starts warning the user that the password is about to expire.
If you do specify the password-expire-in-days keyword, you must also specify the number of days.
See Configuring Microsoft Active Directory Settings for Password Management, page 70-28 for more 
information.
Step 10 Specifying this command with the number of days set to 0 disables this command. The ASA does not 
notify the user of the pending expiration, but the user can change the password after it 
expires.Optionally, configure the ability to override an account-disabled indicator from the AAA server, 
by entering the override-account-disable command:
hostname(config-tunnel-general)# override-account-disable
hostname(config-tunnel-general)# 
Note Allowing override account-disabled is a potential security risk.
Configuring Tunnel-Group Attributes for Clientless SSL VPN Sessions
To configure the parameters specific to a clientless SSL VPN connection profile, follow the steps in this 
section. Clientless SSL VPN was formerly known as WebVPN, and you configure these attributes in 
tunnel-group webvpn-attributes mode.
Step 1 To specify the attributes of a clientless SSL VPN tunnel-group, enter tunnel-group webvpn-attributes 
mode by entering the following command. The prompt changes to indicate the mode change:
hostname(config)# tunnel-group tunnel-group-name webvpn-attributes
hostname(config-tunnel-ipsec)# 
For example, to specify the webvpn-attributes for the clientless SSL VPN tunnel-group named sales, 
enter the following command:
hostname(config)# tunnel-group sales webvpn-attributes
hostname(config-tunnel-webvpn)#