Unanswered Question
Jan 11th, 2010

Hi experts,

I am using PEAP-GTC with ACS secure engine 4.1 with external database as LDAP as authentication mechanism for my wireless clients.

I am trying to configure user changable password in this setup. I am seeing in documents that only windows active directory is possible to achieve this.

can you please guide me how to configure user changable password for my wireless clients when LDAP is used as external authentication server

thanks in advance


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jatin Katyal Tue, 01/12/2010 - 05:56

Hi Sairam:

You use the UCP application to enable users to change their ACS passwords for only ACS internal user's with a web-based utility. When users need to change passwords, they can access the UCP web page by using a supported web browser.

Installing UCP:


We can not use UCP with any kind of database neither windows nor LDAP. It only works for ACS internal/Local users.

Secondly, For wireless clients password change only works with PEAP-MSCHAPv2 and EAP-FAST that too with windows database (AD) because it requires mschap protocol to negotiate password change.

On ACS we need to make sure that mschap is enabled Under External User Databases > Database Configuration > Windows Database >

Configure > Windows Authentication Configuration.

"Enable password changes using MS-CHAP version 1." and,

"Enable password changes using MS-CHAP version 2."

And, Under System Configuration > Global Authentication Setup > under "MS-CHAP Configuration",

Check "Allow MS-CHAP Version 1 Authentication"

Check "Allow MS-CHAP Version 2 Authentication"

You are using ACS as a authentication server with LDAP as a backend database and ldap doesn't support MSCHAP.

Looks like none of these option fits in your requirement




Plz rate helpful posts-

snarayanaraju Tue, 01/12/2010 - 08:18

Dear JK,

I am worried that you are saying using LDAP + PEAP-GTC + ACS, it is not possible to make the setup which enables the wireless users to change their password.

Otherwise it will be difficult for us to control the users. I prefer the users should maintain their own password.

Can you please suggest me any other solution which will enable this setup using LDAP + ACS + other EAP method for my wireless clients (Please note: I donot want the certificate authentication as it will again require cumbersome task of distributing to users)

thanks in advance



This Discussion