07-11-2009 07:48 PM - edited 03-10-2019 04:35 PM
I am configuring a pair of 1113 appliances running ACS 4.2. The client wants to only user local user accounts stored in the ACS database for AAA on devices and LMS and Ops Manager logins. There are configurable password aging settings for users and groups. The question that I have is how are the users notified that their passwords are expired and ow can they change them? The customer uses only ssh for device management. Is the UCP utility still a requirement if an appliance is used as opposed to a standard Windows ACS installation. I also came across this bug:
SCsj50218 Bug Details
Password expiry feature should be support for users local to ACS
Symptom:
ACS currently does not support password expiry / password management feature for locally configured users.
Conditions:
users are configured locally on ACS as opposed to an external database such as active directory.
Workaround:
user external database / server where user profiles are setup.
07-13-2009 07:09 AM
You are correct, ACS does currently not support local user password expiry.
The defect is actually : CSCsj50218
07-13-2009 07:39 AM
ACS supports Password Aging for Device-hosted Sessions-Users must be in the CiscoSecure user database, the AAA client must be running TACACS+, and the connection must use Telnet. You can control the ability of users to change passwords during a device-hosted Telnet session.
You can also control whether Cisco Secure ACS propagates passwords changed by this
feature.
UCP is used in both appliance and window.
Regards,
~JG
Do rate helpful posts
07-13-2009 05:19 PM
If configured, users are prompted to change their admin configured password through an ssh session when using the admin defined password.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: