cisco24x7 Wed, 04/23/2008 - 03:30
User Badges:
  • Silver, 250 points or more

I do not think Cisco ACS can do that by itself.


What you can do is to use "external database"

for authentication such as RSA SecurID, with

ACS integration. It does work, as seen

below:


[[email protected] root]# telnet 192.168.1.4

Trying 192.168.1.4...

Connected to 192.168.1.4 (192.168.1.4).

Escape character is '^]'.



User Access Verification


Username: test1

Enter PASSCODE:


Enter your new Numerical PIN, containing 4 to 8 digits

or

"x" to cancel the new PIN procedure:


Reenter PIN:


BGP_Trigger>


CCIE Security

shereifonline Wed, 04/23/2008 - 03:56
User Badges:

Can we do this if we integrate between ACS and the Windows Domain controller? the RSA is not available now.


appreciate your help. Thanks.

cisco24x7 Wed, 04/23/2008 - 04:38
User Badges:
  • Silver, 250 points or more

do not quote me on this but according to what

I've tested about 6 months, it does not work

with Active Directory, from what I've tried

to accomplished; i.e. telnet to the router

with AD accounts proxy from ACS.


Maybe I did not setup the AD server correctly,

unlikely, but from what I've tested, it does

not work with Cisco IOS when telneting into

a cisco device.

Jagdeep Gambhir Wed, 04/23/2008 - 12:09
User Badges:
  • Red, 2250 points or more

Hi,

You can configure password aging on ACS for ACS users, or (as in your case) you configure

password aging on your Windows Active

Directory database.


Please take a look at this document below, as I believe it provides the required

information you need to properly configure password aging for your Windows users in ACS:



http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs

33/user/g.htm#wp479732


To support password-aging using Windows active directory we need to have AAA client

configured for radius.


Below link gives more information on this.



http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs

33/user/g.htm#wp479732

For password expiry to work with tacacs we need to have the username and passwords

configured locally on the ACS server.



http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs

33/user/o.htm#wp792652



Regards.

~JG


Do rate helpful posts

Jagdeep Gambhir Wed, 04/23/2008 - 12:14
User Badges:
  • Red, 2250 points or more

RADIUS Password Expiry is supported with External windows database using MS-CHAPv2. We cannot use RADIUS Password Expiry with local ACS database

Actions

This Discussion