09-25-2007 08:25 AM - edited 03-10-2019 03:24 PM
I have the following configuration:
Cisco ACS 4.1 is running on the Microsoft
Active Directory Server (all in the same box).
Ip address of this box is 192.168.1.1/24.
I have RSA SecurID Server running on
another box (192.168.1.2/24).
I tried to integrate Cisco ACS 4.1 with
Microsoft AD server. I can log into
cisco devices with account(s) I created
on the AD server.
what i would like to do is that whenever
I reset the password for user(s) on the
AD server, I want the user(s) to have
the ability to change the password of
the account on the cisco device, like
this:
[root@dca2-Linux root]# telnet 192.168.0.5
Trying 192.168.0.5...
Connected to 192.168.0.5 (192.168.0.5).
Escape character is '^]'.
User Access Verification
Username: test2
Enter PASSCODE:
Do you want to enter your own pin? (y or n) [n]
Enter your new Numerical PIN, containing 4 to 8 digits
or
"x" to cancel the new PIN procedure:
Reenter PIN:
C2960>
The above example is for ACS 4.1 and RSA SecurID
integration. I would like to do the same thing between
Cisco ACS 4.1 an Microsoft AD Server (running
on Windows 2003 Enterprise Server with Service
Pack 2). By the way, in ACS, I enable for ms-chap
both version 1 and version 2 and it still does not
work.
Anyone know how to fix this? Thanks.
09-25-2007 08:47 AM
So you want user should be able to change their AD password of there own...i.e. using
ALT CTRL DEL
Is that correct ?
09-25-2007 09:05 AM
hi,
Yes,that is correct. As we speak,
I can do that with SecurID and ACS
integration but I do not know how
to do it with ACS and Microsoft LDAP
integration.
09-26-2007 07:25 AM
Can someone help me out here? Thanks.
09-26-2007 08:36 AM
Kevin,
I don't think that is possible as ACS has no role to pay here. When user initiates password change request go straight to AD.
Regards,
~JG
09-26-2007 08:52 AM
JG,
Then how do you explain the following:
1) I can do password change between
Cisco 4.1 ACS and RSA SecurID integration,
2) I have remote access vpn user(s) for Cisco
Pix firewall and it uses Internet
Authentication Service (aka Microsoft Radius)
running the same server and I use Radius
authentication for remove VPN users (with
ms-chap and ms-chap version 2). VPN users
with Cisco VPN Client can change the password
through the VPN client. That proves that
there are mechanisms to do this.
OK the ACS/LDAP integration is not Microsoft
IAS but I would think that ACS has to be
able to do this. I just don't know how to
configure this.
Comments?
09-26-2007 08:54 AM
Kevin,
You use this software.
http://www.greyware.com/software/domainpassword/index.asp
With this User can change there AD password.
Hope that helps!
Regards,
~JG
09-26-2007 09:04 AM
JG,
I am aware of this software but I would like
to avoid that. I want to have the ability to
do it on network devices (aka cisco routers
and switches). Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: