Problem with changing of domain passwords within NAC environment

Unanswered Question
Oct 25th, 2007

Dear all,

please give me an advice with the following problem. We have just succesfully deployed NAC in our network but have a problem. Domain users (including administrators) are not able to change their passwords for a domain account. When I change the password for an account, the user is able to log in to his computer but Trust agent installed there doesnt allow connection to the network. And when I change the password back to the old one, Trust agent is immediately able to let the computer connect to the network and come to normal green.

So far I tried to restart the computer, also tried to shut it down for few minutes. Then I tried to restart ACS and the domain server. So far the problem is still persisting and is quite critical for our network as we are not able to change any password for any domain account.

We use the following HW and SW in our network:

ACS version 4.0

Trust agent version 2.1

Management center for security agents version 5.2

Three Catalysts 3750, IOS verze 12.2.(37)

And I have almost forgotten to note that ACS is connect to the Active directory server via Remote agent.

Thx for your support in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Thu, 11/01/2007 - 06:49

When ACS is mapped to AD to authenticate users , ACS only caches the username with the password authentication configured with the pointer to external database which authenticated the user. Such a user is called as Discovered user . Cisco Secure ACS does not import credentials (such as passwords, certificates, or NAC credential types) for a discovered user. Do you get any error message in ACS when the users try to login using changed passwords? Also make sure the logging level is set to full in ACS under system configuration---->service control.

ales.simr Mon, 11/05/2007 - 01:32

Thank you for your response, but finally I have found that there is bug CSCsg44335 in CTA which causes such problem. It is not resolved by Cisco yet.

So far I can change a password on a PC locally and everything works correctly. So I have configured on AD server all passwords for all accounts to expire in regular terms to force the users to change their passwords regularly.


This Discussion