NAC 802.1x Framework - Users can't change password using ACS

Unanswered Question
Oct 7th, 2007
User Badges:

Hi All,


Have a weird question about NAC 802.1x framework deployment.


Environment :

Client(with CTA)---ACS SE (ver 4.0)---MS AD(ACS remote agent)


The NAC deployment is fine, until we have a problem with Password policy set at AD. AD require user change password every month, CTA able to prompt for change password but it just processing until timeout and users can't login to network. Users need to restart few times until the prompt from MS asking change password only it work.


Have configure allow all authentication include MSCHAP ver 1 and 2. Follow ACS documentation about user group configuration enable user change password....etc


Second question is about disable user account at AD, it look like need to restart 2 times only the disable account take effect.


Anyone have experince this before? Any workaround?


Thanks

YokeChuan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
scandan Wed, 10/10/2007 - 00:56
User Badges:

Dear Yoke,


EAP-GTC is second phase of PEAP with MSCHAPvs authentication process and ACS 4.0 has a bug (CSCsc00788) about it. The bug is fixed with 4.1 so you should upgrade the version of ACS.


Kind Regards,


Serhat

chenyokechuan Wed, 10/10/2007 - 02:11
User Badges:

Hi Serhat,


Thanks a lot for help in this matter, will check with TAC Engineer.


For second issue, about AD user account disable. It need to restart pc twice before it will take effect, are this also a bug? i seen other user have post this question before, it look like no workaround at the moment.


Thanks

YokeChuan

scandan Wed, 10/10/2007 - 05:55
User Badges:

Dear Yoke,


I dont know exactly that i might be related with a bug. Could you check the release notes for ACS 4.0. http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/release/notes/RNwin401.html#wp37535


Known problems contains all the bug information related to the version.


Also TAC engineer will inform you if you have already opened a case.


Kind regards,


Serhat

chenyokechuan Wed, 10/10/2007 - 07:50
User Badges:

Hi Serhat,


Thanks a lot, will clarify with TAC engineer.


Appreciate your valuable response.


Thanks

YokeChuan

Actions

This Discussion