User change his password after first login in ACS 4.1

Unanswered Question
Apr 23rd, 2008

How can I force the users of my ACS to change thier passwords after the first login??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisco24x7 Wed, 04/23/2008 - 03:30

I do not think Cisco ACS can do that by itself.

What you can do is to use "external database"

for authentication such as RSA SecurID, with

ACS integration. It does work, as seen


[[email protected] root]# telnet


Connected to (

Escape character is '^]'.

User Access Verification

Username: test1


Enter your new Numerical PIN, containing 4 to 8 digits


"x" to cancel the new PIN procedure:

Reenter PIN:


CCIE Security

shereifonline Wed, 04/23/2008 - 03:56

Can we do this if we integrate between ACS and the Windows Domain controller? the RSA is not available now.

appreciate your help. Thanks.

cisco24x7 Wed, 04/23/2008 - 04:38

do not quote me on this but according to what

I've tested about 6 months, it does not work

with Active Directory, from what I've tried

to accomplished; i.e. telnet to the router

with AD accounts proxy from ACS.

Maybe I did not setup the AD server correctly,

unlikely, but from what I've tested, it does

not work with Cisco IOS when telneting into

a cisco device.

Jagdeep Gambhir Wed, 04/23/2008 - 12:09


You can configure password aging on ACS for ACS users, or (as in your case) you configure

password aging on your Windows Active

Directory database.

Please take a look at this document below, as I believe it provides the required

information you need to properly configure password aging for your Windows users in ACS:


To support password-aging using Windows active directory we need to have AAA client

configured for radius.

Below link gives more information on this.


For password expiry to work with tacacs we need to have the username and passwords

configured locally on the ACS server.




Do rate helpful posts

Jagdeep Gambhir Wed, 04/23/2008 - 12:14

RADIUS Password Expiry is supported with External windows database using MS-CHAPv2. We cannot use RADIUS Password Expiry with local ACS database


This Discussion