This feature is compatible with:
Cisco AnyConnect Secure Mobility, Version 3.1
and
Cisco VPN Client, Release 5
Configuring and Enabling this feature is relatively straight forward:
First, configure the LDAP server:
aaa-server LDAP protocol ldapaaa-server LDAP (outside) host 10.48.66.128
ldap-base-dn CN=USers,DC=test-cisco,DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=users,DC=test-cisco,DC=com
server-type microsoft
Then use that configuration for the tunnel-group and the password-management feature:
tunnel-group RA general-attributesaddress-pool POOL
authentication-server-group LDAP
default-group-policy MY
password-management
For more detailed information, refer to this Cisco Document:
ASA Remote Access VPN IKE/SSL - Password Expiry and Change for RADIUS, TACACS, and LDAP Configuration Example