cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1077
Views
0
Helpful
7
Replies

Cisco ACS 4.1 and Microsoft AD integration

kevin.jones1
Level 1
Level 1

I have the following configuration:

Cisco ACS 4.1 is running on the Microsoft

Active Directory Server (all in the same box).

Ip address of this box is 192.168.1.1/24.

I have RSA SecurID Server running on

another box (192.168.1.2/24).

I tried to integrate Cisco ACS 4.1 with

Microsoft AD server. I can log into

cisco devices with account(s) I created

on the AD server.

what i would like to do is that whenever

I reset the password for user(s) on the

AD server, I want the user(s) to have

the ability to change the password of

the account on the cisco device, like

this:

[root@dca2-Linux root]# telnet 192.168.0.5

Trying 192.168.0.5...

Connected to 192.168.0.5 (192.168.0.5).

Escape character is '^]'.

User Access Verification

Username: test2

Enter PASSCODE:

Do you want to enter your own pin? (y or n) [n]

Enter your new Numerical PIN, containing 4 to 8 digits

or

"x" to cancel the new PIN procedure:

Reenter PIN:

C2960>

The above example is for ACS 4.1 and RSA SecurID

integration. I would like to do the same thing between

Cisco ACS 4.1 an Microsoft AD Server (running

on Windows 2003 Enterprise Server with Service

Pack 2). By the way, in ACS, I enable for ms-chap

both version 1 and version 2 and it still does not

work.

Anyone know how to fix this? Thanks.

7 Replies 7

Jagdeep Gambhir
Level 10
Level 10

So you want user should be able to change their AD password of there own...i.e. using

ALT CTRL DEL

Is that correct ?

hi,

Yes,that is correct. As we speak,

I can do that with SecurID and ACS

integration but I do not know how

to do it with ACS and Microsoft LDAP

integration.

Can someone help me out here? Thanks.

Kevin,

I don't think that is possible as ACS has no role to pay here. When user initiates password change request go straight to AD.

Regards,

~JG

JG,

Then how do you explain the following:

1) I can do password change between

Cisco 4.1 ACS and RSA SecurID integration,

2) I have remote access vpn user(s) for Cisco

Pix firewall and it uses Internet

Authentication Service (aka Microsoft Radius)

running the same server and I use Radius

authentication for remove VPN users (with

ms-chap and ms-chap version 2). VPN users

with Cisco VPN Client can change the password

through the VPN client. That proves that

there are mechanisms to do this.

OK the ACS/LDAP integration is not Microsoft

IAS but I would think that ACS has to be

able to do this. I just don't know how to

configure this.

Comments?

Kevin,

You use this software.

http://www.greyware.com/software/domainpassword/index.asp

With this User can change there AD password.

Hope that helps!

Regards,

~JG

JG,

I am aware of this software but I would like

to avoid that. I want to have the ability to

do it on network devices (aka cisco routers

and switches). Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: