cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2601
Views
15
Helpful
9
Replies

Password expired

acontes
Level 1
Level 1

Hi,

today we had an issue with our ACS 5.2.0.26.8. For some 802.1x Accounts i have configured ACS–RESERVED–Never–Expired=True but today all of them were set to expired as i could see in the ACS Instance Logfile. Blocking Reason=PASSWORD_EXPIRED.

Any hints on that?

Regards, Andreas

9 Replies 9

maldehne
Cisco Employee
Cisco Employee

Hi Andreas

What type of EAP authentication are you using?

Can you please send me screen shots from Users --> Authentication Settings

Screen shot from the Access Service where the EAP protocols detailed are viewed?

Sample screen shot from the settings of internal user?

Regards

Hi maldehne

we have the same problem, I used it for TACACS+ Authentication, here you find the "allowed protocols" for our access service.

Do I need to enable MSCHAPv2 for ACS-RESERVED-Never-Expired to work?

Best regards

Dominic

Hello Dominic

Please try to redefine the attribute again by manually  entering the attribute, sometimes copy and paste might cause  replacement of  '-' with space. I have seen that in one case before.

Also do you have any policy condition mapped to the attribute , if so try to disable it and let me know how it goes.

Regards

Hi maldehne

thanks for your fast feedback. Indeed, when I entered the attribute manuelly, the dropdown (with previous entered values) of the browser disapeared after the ACS-, so there was a copy/paste problem.

BUT this did not solve the problem yet, I still get the following login prompt:

username: test2

password:

Enter new password:

Below you see some more configuration details. We use ACS 5.3.0.40.

Thanks a lot and best regards

Dominic

Please make sure that your setup has been done according to th following:

STEP 1:

To make internal user accounts never expire, Go to System Administration >

Users > Authentication Settings:

.         Select the "Advanced" tab and select "Never" under "Account

Disable".

If you want to notify users for password expiry then under the "Advanced"

tab:

.         Select "Display Reminder after n days" under "Password Lifetime"

("n" can be days from 1 to 365)

STEP 2:

1) System Administration > Configuration > Dictionaries > Identity >

Internal Users add Boolean attribute with name "ACS-RESERVED-Never-Expired"

and set it to false.

2) Go to the user you don't want the password to expire and set the

"ACS-RESERVED-Never-Expired" this field to be true, do the same for each

account that you do not want the password to expire

Great, I did not know, that the default value has to be FALSE in anyway, I thought I can use TRUE OR FALSE, but it is definitely only FALSE.

Thanks a lot and best regards (5 points to go... ;-)

Dominic

BTW Dominic please make sure to flag the thread as solved.

I would like, but because it is not MY discussion, I can not mark your great answer as the correct one!

Sorry for that.

Best regards

Dominic

Before, authentication failed because of "password expired".

But now I am struggling with an another issue. The password now will not expire, but authentications failed because of the following reason "24203 User need to change password".

cant believe that...

I have to say this: ACS 5 is a really epic fail with these user specific parameters. i cant migrate my 802.1x users, my vpn users and my technical users (i.e. for cisco works). all because of this password expire "thing".

Looks like i really have to buy 2 acs systems. one with tacacs config for device administration and password expiration and one with radius config for network access without password expiration :-/

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: