Password expired

Unanswered Question
May 11th, 2012

Hi,

today we had an issue with our ACS 5.2.0.26.8. For some 802.1x Accounts i have configured ACS–RESERVED–Never–Expired=True but today all of them were set to expired as i could see in the ACS Instance Logfile. Blocking Reason=PASSWORD_EXPIRED.


Any hints on that?


Regards, Andreas

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
maldehne Sun, 05/13/2012 - 23:21

Hi Andreas


What type of EAP authentication are you using?

Can you please send me screen shots from Users --> Authentication Settings


Screen shot from the Access Service where the EAP protocols detailed are viewed?


Sample screen shot from the settings of internal user?


Regards

Dominic Stalder Tue, 05/15/2012 - 02:37

Hi maldehne


we have the same problem, I used it for TACACS+ Authentication, here you find the "allowed protocols" for our access service.



Do I need to enable MSCHAPv2 for ACS-RESERVED-Never-Expired to work?


Best regards

Dominic

maldehne Tue, 05/15/2012 - 04:23

Hello Dominic


Please try to redefine the attribute again by manually  entering the attribute, sometimes copy and paste might cause  replacement of  '-' with space. I have seen that in one case before.


Also do you have any policy condition mapped to the attribute , if so try to disable it and let me know how it goes.


Regards

Dominic Stalder Tue, 05/15/2012 - 04:38

Hi maldehne


thanks for your fast feedback. Indeed, when I entered the attribute manuelly, the dropdown (with previous entered values) of the browser disapeared after the ACS-, so there was a copy/paste problem.


BUT this did not solve the problem yet, I still get the following login prompt:


username: test2

password:



Enter new password:


Below you see some more configuration details. We use ACS 5.3.0.40.


Thanks a lot and best regards

Dominic


maldehne Tue, 05/15/2012 - 14:36

Please make sure that your setup has been done according to th following:


STEP 1:


To make internal user accounts never expire, Go to System Administration >

Users > Authentication Settings:


.         Select the "Advanced" tab and select "Never" under "Account

Disable".


If you want to notify users for password expiry then under the "Advanced"

tab:


.         Select "Display Reminder after n days" under "Password Lifetime"


("n" can be days from 1 to 365)




STEP 2:


1) System Administration > Configuration > Dictionaries > Identity >


Internal Users add Boolean attribute with name "ACS-RESERVED-Never-Expired"

and set it to false.


2) Go to the user you don't want the password to expire and set the

"ACS-RESERVED-Never-Expired" this field to be true, do the same for each

account that you do not want the password to expire

Dominic Stalder Tue, 05/15/2012 - 15:31

Great, I did not know, that the default value has to be FALSE in anyway, I thought I can use TRUE OR FALSE, but it is definitely only FALSE.


Thanks a lot and best regards (5 points to go... ;-)

Dominic

maldehne Tue, 05/15/2012 - 23:22

BTW Dominic please make sure to flag the thread as solved.


Dominic Stalder Tue, 05/15/2012 - 23:34

I would like, but because it is not MY discussion, I can not mark your great answer as the correct one!


Sorry for that.


Best regards

Dominic

acontes Fri, 09/28/2012 - 01:25

Before, authentication failed because of "password expired".


But now I am struggling with an another issue. The password now will not expire, but authentications failed because of the following reason "24203 User need to change password".


cant believe that...


I have to say this: ACS 5 is a really epic fail with these user specific parameters. i cant migrate my 802.1x users, my vpn users and my technical users (i.e. for cisco works). all because of this password expire "thing".


Looks like i really have to buy 2 acs systems. one with tacacs config for device administration and password expiration and one with radius config for network access without password expiration :-/

Actions

This Discussion

Related Content