Different Password Policy for Different User Groups in ACS 4.2

Unanswered Question
Sep 24th, 2009
User Badges:

Hi All,

Can some one provide a solution for the below requirement?

We do have ACS 4.2 appliance managing firewalls of different clients. The users are common i.e, helpdesk administrators. One of the client came up with setting different password policy for managing their devices i.e, the client wants to have min 15 characters as password length. We do have currently 8 characters as min password length. Can we change the password policy to min 15 characters only for managing the firewalls of this client whereas for all other client firewalls we feel better to have 8 characters as min password length?

It seems that these password policies are global & affects all the users.

This is something like, having two sets of password (for each user) policy depending on the client which he is going to manage.

For my knowledge, i think that this is not possible. But, thought to cross-check with experts!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
darpotter Thu, 09/24/2009 - 02:08
User Badges:
  • Silver, 250 points or more

With ACS you'd need multiple appliances and use TACACS/RADIUS proxy to forward specific requests to another ACS - with the appropriate password requirements.

If ACS was back-ending onto Windows you might be able to set up windows per-group password policies?

Jatin Katyal Thu, 09/24/2009 - 05:13
User Badges:
  • Cisco Employee,

Hi jags,

Yor're correct. Password policy on ACS will affect all internal user. We can't create different password policies for diferent clients/connections/set_of_users

Password validation options apply only to user passwords that are stored in the ACS internal database. They do not apply to passwords in user records in external user databases; nor do they apply to enable or admin passwords for Cisco IOS network devices.





This Discussion