09-25-2007 08:25 AM - edited 03-10-2019 03:24 PM
I have the following configuration:
Cisco ACS 4.1 is running on the Microsoft
Active Directory Server (all in the same box).
Ip address of this box is 192.168.1.1/24.
I have RSA SecurID Server running on
another box (192.168.1.2/24).
I tried to integrate Cisco ACS 4.1 with
Microsoft AD server. I can log into
cisco devices with account(s) I created
on the AD server.
what i would like to do is that whenever
I reset the password for user(s) on the
AD server, I want the user(s) to have
the ability to change the password of
the account on the cisco device, like
this:
[root@dca2-Linux root]# telnet 192.168.0.5
Trying 192.168.0.5...
Connected to 192.168.0.5 (192.168.0.5).
Escape character is '^]'.
User Access Verification
Username: test2
Enter PASSCODE:
Do you want to enter your own pin? (y or n) [n]
Enter your new Numerical PIN, containing 4 to 8 digits
or
"x" to cancel the new PIN procedure:
Reenter PIN:
C2960>
The above example is for ACS 4.1 and RSA SecurID
integration. I would like to do the same thing between
Cisco ACS 4.1 an Microsoft AD Server (running
on Windows 2003 Enterprise Server with Service
Pack 2). By the way, in ACS, I enable for ms-chap
both version 1 and version 2 and it still does not
work.
Anyone know how to fix this? Thanks.
09-25-2007 08:47 AM
So you want user should be able to change their AD password of there own...i.e. using
ALT CTRL DEL
Is that correct ?
09-25-2007 09:05 AM
hi,
Yes,that is correct. As we speak,
I can do that with SecurID and ACS
integration but I do not know how
to do it with ACS and Microsoft LDAP
integration.
09-26-2007 07:25 AM
Can someone help me out here? Thanks.
09-26-2007 08:36 AM
Kevin,
I don't think that is possible as ACS has no role to pay here. When user initiates password change request go straight to AD.
Regards,
~JG
09-26-2007 08:52 AM
JG,
Then how do you explain the following:
1) I can do password change between
Cisco 4.1 ACS and RSA SecurID integration,
2) I have remote access vpn user(s) for Cisco
Pix firewall and it uses Internet
Authentication Service (aka Microsoft Radius)
running the same server and I use Radius
authentication for remove VPN users (with
ms-chap and ms-chap version 2). VPN users
with Cisco VPN Client can change the password
through the VPN client. That proves that
there are mechanisms to do this.
OK the ACS/LDAP integration is not Microsoft
IAS but I would think that ACS has to be
able to do this. I just don't know how to
configure this.
Comments?
09-26-2007 08:54 AM
Kevin,
You use this software.
http://www.greyware.com/software/domainpassword/index.asp
With this User can change there AD password.
Hope that helps!
Regards,
~JG
09-26-2007 09:04 AM
JG,
I am aware of this software but I would like
to avoid that. I want to have the ability to
do it on network devices (aka cisco routers
and switches). Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide