Password expired

Unanswered Question
May 11th, 2012
User Badges:


today we had an issue with our ACS For some 802.1x Accounts i have configured ACS–RESERVED–Never–Expired=True but today all of them were set to expired as i could see in the ACS Instance Logfile. Blocking Reason=PASSWORD_EXPIRED.

Any hints on that?

Regards, Andreas

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
maldehne Sun, 05/13/2012 - 23:21
User Badges:
  • Cisco Employee,

Hi Andreas

What type of EAP authentication are you using?

Can you please send me screen shots from Users --> Authentication Settings

Screen shot from the Access Service where the EAP protocols detailed are viewed?

Sample screen shot from the settings of internal user?


Dominic Stalder Tue, 05/15/2012 - 02:37
User Badges:

Hi maldehne

we have the same problem, I used it for TACACS+ Authentication, here you find the "allowed protocols" for our access service.

Do I need to enable MSCHAPv2 for ACS-RESERVED-Never-Expired to work?

Best regards


maldehne Tue, 05/15/2012 - 04:23
User Badges:
  • Cisco Employee,

Hello Dominic

Please try to redefine the attribute again by manually  entering the attribute, sometimes copy and paste might cause  replacement of  '-' with space. I have seen that in one case before.

Also do you have any policy condition mapped to the attribute , if so try to disable it and let me know how it goes.


Dominic Stalder Tue, 05/15/2012 - 04:38
User Badges:

Hi maldehne

thanks for your fast feedback. Indeed, when I entered the attribute manuelly, the dropdown (with previous entered values) of the browser disapeared after the ACS-, so there was a copy/paste problem.

BUT this did not solve the problem yet, I still get the following login prompt:

username: test2


Enter new password:

Below you see some more configuration details. We use ACS

Thanks a lot and best regards


maldehne Tue, 05/15/2012 - 14:36
User Badges:
  • Cisco Employee,

Please make sure that your setup has been done according to th following:


To make internal user accounts never expire, Go to System Administration >

Users > Authentication Settings:

.         Select the "Advanced" tab and select "Never" under "Account


If you want to notify users for password expiry then under the "Advanced"


.         Select "Display Reminder after n days" under "Password Lifetime"

("n" can be days from 1 to 365)


1) System Administration > Configuration > Dictionaries > Identity >

Internal Users add Boolean attribute with name "ACS-RESERVED-Never-Expired"

and set it to false.

2) Go to the user you don't want the password to expire and set the

"ACS-RESERVED-Never-Expired" this field to be true, do the same for each

account that you do not want the password to expire

Dominic Stalder Tue, 05/15/2012 - 15:31
User Badges:

Great, I did not know, that the default value has to be FALSE in anyway, I thought I can use TRUE OR FALSE, but it is definitely only FALSE.

Thanks a lot and best regards (5 points to go... ;-)


maldehne Tue, 05/15/2012 - 23:22
User Badges:
  • Cisco Employee,

BTW Dominic please make sure to flag the thread as solved.

Dominic Stalder Tue, 05/15/2012 - 23:34
User Badges:

I would like, but because it is not MY discussion, I can not mark your great answer as the correct one!

Sorry for that.

Best regards


acontes Fri, 09/28/2012 - 01:25
User Badges:

Before, authentication failed because of "password expired".

But now I am struggling with an another issue. The password now will not expire, but authentications failed because of the following reason "24203 User need to change password".

cant believe that...

I have to say this: ACS 5 is a really epic fail with these user specific parameters. i cant migrate my 802.1x users, my vpn users and my technical users (i.e. for cisco works). all because of this password expire "thing".

Looks like i really have to buy 2 acs systems. one with tacacs config for device administration and password expiration and one with radius config for network access without password expiration :-/


This Discussion

Related Content