ACS 4.2 - Active Directory Password Caching

glemaire · ‎09-25-2008

Dear,

Currently, I have a Cisco ACS-4.2.0.124.5 on a Windows Server 2003 SP2, with a Cisco switch (3750 - TACACS).

I have mapped an Active Directory Group to an ACS Group.

I'm connecting on the 3750 with my AD login/pwd. It's working. Perfect.

I change my AD password. I try to connect on a server (to test if my password is replicated) and yes my password is replicated.

Now, I try to connect on the 3750. My new password worksâ€¦ but the OLD too.

OLD and NEW password work with my login.

What I have missed in the configuration? I have no local user in the Cisco ACS Local Database.

According to the Windows Team, the login that I use is in a group which is replicated instantly everywhereâ€¦ and yes because the new password worksâ€¦ but why the OLD is workingâ€¦? I try my OLD password on the previous server (or another server or a web portal which this group is linked), it doesn't work.

But for all devices (TACACS & RADIUS) in the Cisco ACS, the OLD password works.

Thanks in advance,

glemaire · ‎09-25-2008

It seems to have a cache between 15 & 20 minutes. Is-it normal ?

Jagdeep Gambhir · ‎09-26-2008

Passwords are not cached by ACS for dynamically created users. Please break the communication between ACS and AD and then try to connect.

That will let us know if the issue is with ACS or AD.

Regards,

~JG

Do rate helpful posts

Jagdeep Gambhir · ‎09-26-2008

More info

Windows 2003 SP1 changes NTLM behavior and because of this, two passwords can be valid for an hour after the password has changed.

Here is the article:

http://support.microsoft.com/kb/906305/en-us

Regards,

~JG

Do rate helpful posts

Jagdeep Gambhir · ‎09-26-2008

I have a scenario for you in active directory when two passwords may be valid:

Old passwords can also work on domain controllers that have not received replication yet from either the domain controller the password was changed on, or the PDC emulator in the domain.

Let's take a scenario where we have a 3 site, 3 domain controller (DC) active directory: Site1 with DC1, site2 with DC2 and site3 with DC3.

The ACS application resides in Site3 and is configured to use DC3 for authentication. We have a user "user1" with a password of "123".

User1 decides to call the helpdesk and changes his password to "456".

The helpdesk uses DC1 to make password changes because they are located in site1. For a period of time (based on replication, which defaults to 3 hours between sites) the 123 password and the 456 password will be

valid.

If the user1 user tries the "123" password it will work until DC3 receives the changed password from normal replication. If user1 tries to use 456, DC3 will flag this as a wrong password, and then check the PDC

emulator of the domain to see if it has received a newer password. The PDC emulator will validate the login, and then trigger an immediate replication with DC3.

Regards,

~JG

Do rate helpful posts

glemaire · ‎09-29-2008

Many thanks for your quick answers.

I will see with the other team to see if it's apply or not but the scenario that you explain is good for my case.

Except that the user/password for the user is located on the same Domain Controller (I guess) than the Cisco ACS.

But I will see with them.

So, thanks ;o)