Cisco ASA VPN service caches the old password after a password change

We noticed that the Cisco ASA firewall caches passwords after a password change and the old password is working a few times before expiring and that the new one can be used without problem.

This documentation found on the Cisco website’s was helped me to troubleshoot this issue:

“The adaptive security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the adaptive security appliance does not resend the request to the authorization server.”

To solve that  issue in my case, I’ve found a solution using the option “password-storage” in group attributes:

— Go to your Cisco ASA
— Activate the Enable mode


— Enter in configuration mode

conf t

— Edit the group attributes that is associated to your VPN

group-policy <VPN policy name> attributes

— Add the password-storage option

password-storage disable

— Test
— Save


Leave a Reply

Your email address will not be published. Required fields are marked *