Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
260
Views
0
Helpful
2
Replies

Problem with changing of domain passwords within NAC environment

ales.simr
Level 1
Level 1

‎10-25-2007 11:54 PM - edited ‎02-21-2020 01:44 AM

Dear all,

please give me an advice with the following problem. We have just succesfully deployed NAC in our network but have a problem. Domain users (including administrators) are not able to change their passwords for a domain account. When I change the password for an account, the user is able to log in to his computer but Trust agent installed there doesnt allow connection to the network. And when I change the password back to the old one, Trust agent is immediately able to let the computer connect to the network and come to normal green.

So far I tried to restart the computer, also tried to shut it down for few minutes. Then I tried to restart ACS and the domain server. So far the problem is still persisting and is quite critical for our network as we are not able to change any password for any domain account.

We use the following HW and SW in our network:

ACS version 4.0

Trust agent version 2.1

Management center for security agents version 5.2

Three Catalysts 3750, IOS verze 12.2.(37)

And I have almost forgotten to note that ACS is connect to the Active directory server via Remote agent.

Thx for your support in advance.

0 Helpful
2 Replies 2

didyap
Level 6
Level 6

‎11-01-2007 06:49 AM

When ACS is mapped to AD to authenticate users , ACS only caches the username with the password authentication configured with the pointer to external database which authenticated the user. Such a user is called as Discovered user . Cisco Secure ACS does not import credentials (such as passwords, certificates, or NAC credential types) for a discovered user. Do you get any error message in ACS when the users try to login using changed passwords? Also make sure the logging level is set to full in ACS under system configuration---->service control.

0 Helpful

ales.simr
Level 1
Level 1
In response to didyap

‎11-05-2007 01:32 AM

Thank you for your response, but finally I have found that there is bug CSCsg44335 in CTA which causes such problem. It is not resolved by Cisco yet.

So far I can change a password on a PC locally and everything works correctly. So I have configured on AD server all passwords for all accounts to expire in regular terms to force the users to change their passwords regularly.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card