Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1081
Views
0
Helpful
7
Replies

Cisco ACS 4.1 and Microsoft AD integration

kevin.jones1
Level 1
Level 1

‎09-25-2007 08:25 AM - edited ‎03-10-2019 03:24 PM

I have the following configuration:

Cisco ACS 4.1 is running on the Microsoft

Active Directory Server (all in the same box).

Ip address of this box is 192.168.1.1/24.

I have RSA SecurID Server running on

another box (192.168.1.2/24).

I tried to integrate Cisco ACS 4.1 with

Microsoft AD server. I can log into

cisco devices with account(s) I created

on the AD server.

what i would like to do is that whenever

I reset the password for user(s) on the

AD server, I want the user(s) to have

the ability to change the password of

the account on the cisco device, like

this:

[root@dca2-Linux root]# telnet 192.168.0.5

Trying 192.168.0.5...

Connected to 192.168.0.5 (192.168.0.5).

Escape character is '^]'.

User Access Verification

Username: test2

Enter PASSCODE:

Do you want to enter your own pin? (y or n) [n]

Enter your new Numerical PIN, containing 4 to 8 digits

or

"x" to cancel the new PIN procedure:

Reenter PIN:

C2960>

The above example is for ACS 4.1 and RSA SecurID

integration. I would like to do the same thing between

Cisco ACS 4.1 an Microsoft AD Server (running

on Windows 2003 Enterprise Server with Service

Pack 2). By the way, in ACS, I enable for ms-chap

both version 1 and version 2 and it still does not

work.

Anyone know how to fix this? Thanks.

Labels:
0 Helpful
7 Replies 7

Jagdeep Gambhir
Level 10
Level 10

‎09-25-2007 08:47 AM

So you want user should be able to change their AD password of there own...i.e. using

ALT CTRL DEL

Is that correct ?

0 Helpful

kevin.jones1
Level 1
Level 1
In response to Jagdeep Gambhir

‎09-25-2007 09:05 AM

hi,

Yes,that is correct. As we speak,

I can do that with SecurID and ACS

integration but I do not know how

to do it with ACS and Microsoft LDAP

integration.

0 Helpful

kevin.jones1
Level 1
Level 1
In response to kevin.jones1

‎09-26-2007 07:25 AM

Can someone help me out here? Thanks.

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to kevin.jones1

‎09-26-2007 08:36 AM

Kevin,

I don't think that is possible as ACS has no role to pay here. When user initiates password change request go straight to AD.

Regards,

~JG

0 Helpful

kevin.jones1
Level 1
Level 1
In response to Jagdeep Gambhir

‎09-26-2007 08:52 AM

JG,

Then how do you explain the following:

1) I can do password change between

Cisco 4.1 ACS and RSA SecurID integration,

2) I have remote access vpn user(s) for Cisco

Pix firewall and it uses Internet

Authentication Service (aka Microsoft Radius)

running the same server and I use Radius

authentication for remove VPN users (with

ms-chap and ms-chap version 2). VPN users

with Cisco VPN Client can change the password

through the VPN client. That proves that

there are mechanisms to do this.

OK the ACS/LDAP integration is not Microsoft

IAS but I would think that ACS has to be

able to do this. I just don't know how to

configure this.

Comments?

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to Jagdeep Gambhir

‎09-26-2007 08:54 AM

Kevin,

You use this software.

http://www.greyware.com/software/domainpassword/index.asp

With this User can change there AD password.

Hope that helps!

Regards,

~JG

0 Helpful

kevin.jones1
Level 1
Level 1
In response to Jagdeep Gambhir

‎09-26-2007 09:04 AM

JG,

I am aware of this software but I would like

to avoid that. I want to have the ability to

do it on network devices (aka cisco routers

and switches). Thanks.

0 Helpful
Customers Also Viewed These Support Documents