Cisco ACS 4.1 and Microsoft AD integration

Unanswered Question
Sep 25th, 2007

I have the following configuration:

Cisco ACS 4.1 is running on the Microsoft

Active Directory Server (all in the same box).

Ip address of this box is

I have RSA SecurID Server running on

another box (

I tried to integrate Cisco ACS 4.1 with

Microsoft AD server. I can log into

cisco devices with account(s) I created

on the AD server.

what i would like to do is that whenever

I reset the password for user(s) on the

AD server, I want the user(s) to have

the ability to change the password of

the account on the cisco device, like


[[email protected] root]# telnet


Connected to (

Escape character is '^]'.

User Access Verification

Username: test2


Do you want to enter your own pin? (y or n) [n]

Enter your new Numerical PIN, containing 4 to 8 digits


"x" to cancel the new PIN procedure:

Reenter PIN:


The above example is for ACS 4.1 and RSA SecurID

integration. I would like to do the same thing between

Cisco ACS 4.1 an Microsoft AD Server (running

on Windows 2003 Enterprise Server with Service

Pack 2). By the way, in ACS, I enable for ms-chap

both version 1 and version 2 and it still does not


Anyone know how to fix this? Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Tue, 09/25/2007 - 08:47

So you want user should be able to change their AD password of there own...i.e. using


Is that correct ?

kevin.jones1 Tue, 09/25/2007 - 09:05


Yes,that is correct. As we speak,

I can do that with SecurID and ACS

integration but I do not know how

to do it with ACS and Microsoft LDAP


Jagdeep Gambhir Wed, 09/26/2007 - 08:36


I don't think that is possible as ACS has no role to pay here. When user initiates password change request go straight to AD.



kevin.jones1 Wed, 09/26/2007 - 08:52


Then how do you explain the following:

1) I can do password change between

Cisco 4.1 ACS and RSA SecurID integration,

2) I have remote access vpn user(s) for Cisco

Pix firewall and it uses Internet

Authentication Service (aka Microsoft Radius)

running the same server and I use Radius

authentication for remove VPN users (with

ms-chap and ms-chap version 2). VPN users

with Cisco VPN Client can change the password

through the VPN client. That proves that

there are mechanisms to do this.

OK the ACS/LDAP integration is not Microsoft

IAS but I would think that ACS has to be

able to do this. I just don't know how to

configure this.


kevin.jones1 Wed, 09/26/2007 - 09:04


I am aware of this software but I would like

to avoid that. I want to have the ability to

do it on network devices (aka cisco routers

and switches). Thanks.


This Discussion