ACS Appliance - Local User Password Changing Options

edunn · ‎07-11-2009

I am configuring a pair of 1113 appliances running ACS 4.2. The client wants to only user local user accounts stored in the ACS database for AAA on devices and LMS and Ops Manager logins. There are configurable password aging settings for users and groups. The question that I have is how are the users notified that their passwords are expired and ow can they change them? The customer uses only ssh for device management. Is the UCP utility still a requirement if an appliance is used as opposed to a standard Windows ACS installation. I also came across this bug:

SCsj50218 Bug Details

Password expiry feature should be support for users local to ACS

Symptom:

ACS currently does not support password expiry / password management feature for locally configured users.

Conditions:

users are configured locally on ACS as opposed to an external database such as active directory.

Workaround:

user external database / server where user profiles are setup.

Lucien Avramov · ‎07-13-2009

You are correct, ACS does currently not support local user password expiry.

The defect is actually : CSCsj50218

Jagdeep Gambhir · ‎07-13-2009

ACS supports Password Aging for Device-hosted Sessions-Users must be in the CiscoSecure user database, the AAA client must be running TACACS+, and the connection must use Telnet. You can control the ability of users to change passwords during a device-hosted Telnet session.

You can also control whether Cisco Secure ACS propagates passwords changed by this

feature.

UCP is used in both appliance and window.

Regards,

~JG

Do rate helpful posts

edunn · ‎07-13-2009

If configured, users are prompted to change their admin configured password through an ssh session when using the admin defined password.