Trying to configure ACS 3.1 to force users to change their passwords when authenticating through a VPN3000 for the first time. It will expire the password and not allow a second login attempt (user shows expired on ACS), but never prompts to change the password.
We've played with different settings under the Password Aging fields, but can't seem to change this behavior.
The user does get the banner messages we've set up.
Any idea what we are missing??
and believe we are following this correctly.
What version of VPN concentrator and client code are you running? On the concentrator, under the group, make sure you set the Authentication type to "Radius with expiry" under the IPSec tab.
Follow http://www.cisco.com/warp/public/471/vpn3k-ntpwexp.html and you should be up and running.
We are wanting to configure the UserIds only in the ACS database, not NT IDs. I'm now thinking this isn't supported although I don't read that in the documentation.
Appreciate any comments.
I'm trying to do the same thing and it sounds like you're having the same problems I am. I don't think the feature is supported when the ACS internal database is used. I'm still seeking a resolution and will post it if I come up with anything.
Yes, this feature is only supported when using NT database passwords. For ACS internal passwords, you can use the User Changable Password utility (http://www.cisco.com/warp/public/480/ucp.html). Not as nice as being prompted for it when you try and connect, but that's all there is unfortunately.
Still don't understand why, if it is not supported internally, there are options to set up password change policies.
The link is for 2.6 not 3.1.
What if we don't use Microsoft?
I don't know what you are authenticating on but I found this works great with active directories. As for NT 4.0, it's a little more involved make sure you have correct ACS version and Build, I was told Release 3.0(3) Build 6. I was also told by TAC to make sure the Radius and NT SAM are on the same box and I made sure the seetings are correct according to the documents. In the end it is still not working for NT 4.0
If anyone has any more info please pass it on thanks.
I was experiencing the same problems using the ACS local database. What I had to do was have all clients using dialup load the Ciscosecure Authentication Agent on their PC's or laptops. It runs in the background when they boot their PC and prevents their accounts from expiring. Also, in the dialup client properties, I had to click on "show terminal window" under the security tab in order to force a second window to open when the client tries dialling. This allows them to enter a new password. Also make sure under your user profile or group profile, can't remember which one, on the ACS you have the option checked off to force them to change password when the Admin. changes it. That's what I found works.
I have experiecing the same problem.
Anyone can help me? I probe several configuration and no work fine.
I have a:
*Cisco router 2612 (IOS 12.3(6)), this authenticate the dial-up user using Radius
*ACS for win 2000 Version 3.0(1) build 40, and
*CAA install in the client PC (win 2000 SP 4). The dial-up user are authenticate in the local ACS Data Base.
The problem is that the client never see the aging messaging.
I have been able to get this to work using the following method however it has not been very clean or pretty.
First you will need to install the user-changeable password software. It is easier to configure if you install it on the ACS server but can be installed on a separate server. In the second case you will need to define the server in the NDG's as a AAA server you can ignore the password field it just has to be defined,
Secondly you have to install the Cisco Authentication Agent (CAA) on the client machine just as a messaging service in order for the client to be prompted with a password change dialogue.
Hope this helps!