Password expired

Unanswered Question
May 11th, 2012

Hi,

today we had an issue with our ACS 5.2.0.26.8. For some 802.1x Accounts i have configured ACS–RESERVED–Never–Expired=True but today all of them were set to expired as i could see in the ACS Instance Logfile. Blocking Reason=PASSWORD_EXPIRED.

Any hints on that?

Regards, Andreas

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
maldehne Sun, 05/13/2012 - 23:21

Hi Andreas

What type of EAP authentication are you using?

Can you please send me screen shots from Users --> Authentication Settings

Screen shot from the Access Service where the EAP protocols detailed are viewed?

Sample screen shot from the settings of internal user?

Regards

Dominic Stalder Tue, 05/15/2012 - 02:37

Hi maldehne

we have the same problem, I used it for TACACS+ Authentication, here you find the "allowed protocols" for our access service.

Do I need to enable MSCHAPv2 for ACS-RESERVED-Never-Expired to work?

Best regards

Dominic

maldehne Tue, 05/15/2012 - 04:23

Hello Dominic

Please try to redefine the attribute again by manually  entering the attribute, sometimes copy and paste might cause  replacement of  '-' with space. I have seen that in one case before.

Also do you have any policy condition mapped to the attribute , if so try to disable it and let me know how it goes.

Regards

Dominic Stalder Tue, 05/15/2012 - 04:38

Hi maldehne

thanks for your fast feedback. Indeed, when I entered the attribute manuelly, the dropdown (with previous entered values) of the browser disapeared after the ACS-, so there was a copy/paste problem.

BUT this did not solve the problem yet, I still get the following login prompt:

username: test2

password:

Enter new password:

Below you see some more configuration details. We use ACS 5.3.0.40.

Thanks a lot and best regards

Dominic

maldehne Tue, 05/15/2012 - 14:36

Please make sure that your setup has been done according to th following:

STEP 1:

To make internal user accounts never expire, Go to System Administration >

Users > Authentication Settings:

.         Select the "Advanced" tab and select "Never" under "Account

Disable".

If you want to notify users for password expiry then under the "Advanced"

tab:

.         Select "Display Reminder after n days" under "Password Lifetime"

("n" can be days from 1 to 365)

STEP 2:

1) System Administration > Configuration > Dictionaries > Identity >

Internal Users add Boolean attribute with name "ACS-RESERVED-Never-Expired"

and set it to false.

2) Go to the user you don't want the password to expire and set the

"ACS-RESERVED-Never-Expired" this field to be true, do the same for each

account that you do not want the password to expire

Dominic Stalder Tue, 05/15/2012 - 15:31

Great, I did not know, that the default value has to be FALSE in anyway, I thought I can use TRUE OR FALSE, but it is definitely only FALSE.

Thanks a lot and best regards (5 points to go... ;-)

Dominic

maldehne Tue, 05/15/2012 - 23:22

BTW Dominic please make sure to flag the thread as solved.

Dominic Stalder Tue, 05/15/2012 - 23:34

I would like, but because it is not MY discussion, I can not mark your great answer as the correct one!

Sorry for that.

Best regards

Dominic

acontes Fri, 09/28/2012 - 01:25

Before, authentication failed because of "password expired".

But now I am struggling with an another issue. The password now will not expire, but authentications failed because of the following reason "24203 User need to change password".

cant believe that...

I have to say this: ACS 5 is a really epic fail with these user specific parameters. i cant migrate my 802.1x users, my vpn users and my technical users (i.e. for cisco works). all because of this password expire "thing".

Looks like i really have to buy 2 acs systems. one with tacacs config for device administration and password expiration and one with radius config for network access without password expiration :-/

Actions

Login or Register to take actions

This Discussion

Posted May 11, 2012 at 2:04 AM
Stats:
Replies:9 Avg. Rating:5
Views:1013 Votes:0
Shares:0

Related Content

Discussions Leaderboard