User account disable on ACS 5.X

josearnau · ‎12-03-2009

Hi,

I'm working with the new ACS version 5.X, and i have a question. Is possible configure a local user account to disable it automatically, as in the 4.2 ACS version. When I create an local user account there isn't this option, and I don't know how to implement it.

Thanks a lot and kind regards.

jrabinow · ‎12-03-2009

In ACS 5.1 an internal user account can be manually disabled and can

become disabled as a result of password expiry. There is currently no capability to automatically disabled based on failed attempts.

There is functionality provide as part of Monitoring and Troubleshooting that can:

- alarm when threshold of failed attempts is exceed (failed attempts are collected across the deployment)

- report the top N authentication failures in the deployment

josearnau · ‎12-03-2009

Thanks a lot for your information.

My idea is implement the same functionality that ACS 4.2, in other words I would like that password expires based on date, not as result of failed attempts.

Kind regards.

jrabinow · ‎12-03-2009

Gotcha.

Concept in ACS 5 is to not implement such authorization decisions as part of the user definition. Rather as part of policy. There are Date/Time conditions that can be used as part of an authentication policy to deny a user access after a particular date

1) Create date/time condition (Policy Elements > Session Conditions >Date and Time). To disable user after a specific date select

"End By" option and then date/time to be disabled

2) Create conditions in policies to deny access to the user. Add the "Date/Time" and "User Name" conditions to the policy and select the date/time condition from step 1) and enter the user name to be denied access after condition expired.

I assume these conditions are temporary:to expire accounts for a small number of users. As such, a good place can be the Authorization Exception policy which is designed to administratively separate temporary changes to policy. However, could also be in the iidentity policy or others

liaqath2k7 · ‎04-16-2010

The steps are very much clear but where should i apply these conditions, like in earlier versions it was in the user profile but here i dont find any option to apply the step 1) and 2).

daveofferman · ‎07-07-2010

FAIL. This is not what we want. We want to be able to automatically disable a User Account in ACS based on a date. This functionality was commonly used in ACS versions prior to 5.X. I have not heard a valid reason why Cisco took this feature out.

Cisco, it doesn't seem like you're listening to your customers. Why throw the baby out with the bath water?

Please add this functionality back into ACS 5.X in the next patch.

(Screenshot below is from ACS v3.3)

liaqath2k7 · ‎12-24-2011

Am not sure whether this is another configuration issue from cisco or am not able to find the exact tab to configure it.

I want to set the account expiry date different for VIP users and different for other emplyees.

what i can see in ACS 5.3 is, there is a global option which applies on all the users, i need user based account disable option,

Certain users must expire after 90 days and certain users with their account never disable option.

any clues...

jrabinow · ‎12-28-2011

I am attaching an example of how to create both temporary and permanent accounts within the internal user database. It achieves the requirements above although maybe with a different approach. It uses two new capabilities in ACS 5.3

- Attribute to attribute comparison in the authorization policy

- Leverages a new System attributed called "NumberOfHoursSinceUserCreation"

I am also including a summary of the steps below

- Create two identity attributes for internal users

-Define an identity attribute for the user type. Can use an integer where 1 indicates a permanent account and 2 a temporary one

- Define an identity attribute for user lifetime. Use an integer. Defines the user lifetime in hours

- Create a rule in a compound condition in the the authorization policy to deny access to users where Number Of Hours Since User Creation exceeds the lifetime. Eg (Internal Users:User Type = 2 And System:NumberOfHoursSinceUserCreation > Internal Users:UserLifetime) then DenyAccess

Note, I used an integer attribute type for the user type. This is because of issues displaying the enumerated values of an attribute in a compound condition. However, if install patch 1 for ACS 5.3 it may be possible to use an enumerated attribute instead of an integer one (which will be clearer) since the following CDETS is resolved in patch 1

CSCtg51846 Enum values are not shown in compound conditions in rule

I have not tested with patch 1

Dev Vishwakarma · ‎03-22-2012

Here is how you can configure it on ACS 5.3:

https://supportforums.cisco.com/docs/DOC-22894

Regards,

Dev

Gustavo Novais · ‎03-28-2012

Hello,

I do see on the user account page, that there are three timestamps - User Creation, modification and enablement.

Is there any way to access the difference from now and any of those timestamps, not only the creation?

The use case is that for guests (new users) Creation is enough, but often you may have recurrent users that are disabled and are enabled just temporarily. For that, the other timestamps would be interesting to assess...

Is there any way to do so?

Thanks

Gustavo

liaqath2k7 · ‎04-14-2012

Hi,

After so much of time cisco re-introduced this option in 5.3, One more problem am facing like:

1: We have normal VPN users on whom i want to enforce this policy of 90 days and 5 failed attempts.

2: We have some VIP users on whom i don't want to enforce any of the policy.

What i see in 5.3 is global setting effecting all users or am i missing any configuration related to this....because in previous versions till 4.x this option was under user settings itself which make us easier to choose based on user.