User change his password after first login in ACS 4.1

Unanswered Question
Apr 23rd, 2008

How can I force the users of my ACS to change thier passwords after the first login??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
cisco24x7 Wed, 04/23/2008 - 03:30

I do not think Cisco ACS can do that by itself.

What you can do is to use "external database"

for authentication such as RSA SecurID, with

ACS integration. It does work, as seen

below:

[[email protected] root]# telnet 192.168.1.4

Trying 192.168.1.4...

Connected to 192.168.1.4 (192.168.1.4).

Escape character is '^]'.

User Access Verification

Username: test1

Enter PASSCODE:

Enter your new Numerical PIN, containing 4 to 8 digits

or

"x" to cancel the new PIN procedure:

Reenter PIN:

BGP_Trigger>

CCIE Security

shereifonline Wed, 04/23/2008 - 03:56

Can we do this if we integrate between ACS and the Windows Domain controller? the RSA is not available now.

appreciate your help. Thanks.

cisco24x7 Wed, 04/23/2008 - 04:38

do not quote me on this but according to what

I've tested about 6 months, it does not work

with Active Directory, from what I've tried

to accomplished; i.e. telnet to the router

with AD accounts proxy from ACS.

Maybe I did not setup the AD server correctly,

unlikely, but from what I've tested, it does

not work with Cisco IOS when telneting into

a cisco device.

Jagdeep Gambhir Wed, 04/23/2008 - 12:09

Hi,

You can configure password aging on ACS for ACS users, or (as in your case) you configure

password aging on your Windows Active

Directory database.

Please take a look at this document below, as I believe it provides the required

information you need to properly configure password aging for your Windows users in ACS:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs

33/user/g.htm#wp479732

To support password-aging using Windows active directory we need to have AAA client

configured for radius.

Below link gives more information on this.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs

33/user/g.htm#wp479732

For password expiry to work with tacacs we need to have the username and passwords

configured locally on the ACS server.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs

33/user/o.htm#wp792652

Regards.

~JG

Do rate helpful posts

Jagdeep Gambhir Wed, 04/23/2008 - 12:14

RADIUS Password Expiry is supported with External windows database using MS-CHAPv2. We cannot use RADIUS Password Expiry with local ACS database

Actions

This Discussion