Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 3.1 user password changes

Trying to configure ACS 3.1 to force users to change their passwords when authenticating through a VPN3000 for the first time. It will expire the password and not allow a second login attempt (user shows expired on ACS), but never prompts to change the password.

We've played with different settings under the Password Aging fields, but can't seem to change this behavior.

The user does get the banner messages we've set up.

Any idea what we are missing??

Have reviewed

and believe we are following this correctly.

Cisco Employee

Re: ACS 3.1 user password changes

What version of VPN concentrator and client code are you running? On the concentrator, under the group, make sure you set the Authentication type to "Radius with expiry" under the IPSec tab.

Follow and you should be up and running.

New Member

Re: ACS 3.1 user password changes

Concentrator 3.6.7

Client 3.6.3

We are wanting to configure the UserIds only in the ACS database, not NT IDs. I'm now thinking this isn't supported although I don't read that in the documentation.

Appreciate any comments.

New Member

Re: ACS 3.1 user password changes

I'm trying to do the same thing and it sounds like you're having the same problems I am. I don't think the feature is supported when the ACS internal database is used. I'm still seeking a resolution and will post it if I come up with anything.

Cisco Employee

Re: ACS 3.1 user password changes

Yes, this feature is only supported when using NT database passwords. For ACS internal passwords, you can use the User Changable Password utility ( Not as nice as being prompted for it when you try and connect, but that's all there is unfortunately.

New Member

Re: ACS 3.1 user password changes

Still don't understand why, if it is not supported internally, there are options to set up password change policies.

The link is for 2.6 not 3.1.

What if we don't use Microsoft?

New Member

Re: ACS 3.1 user password changes

I don't know what you are authenticating on but I found this works great with active directories. As for NT 4.0, it's a little more involved make sure you have correct ACS version and Build, I was told Release 3.0(3) Build 6. I was also told by TAC to make sure the Radius and NT SAM are on the same box and I made sure the seetings are correct according to the documents. In the end it is still not working for NT 4.0

If anyone has any more info please pass it on thanks.

New Member

Re: ACS 3.1 user password changes

I was experiencing the same problems using the ACS local database. What I had to do was have all clients using dialup load the Ciscosecure Authentication Agent on their PC's or laptops. It runs in the background when they boot their PC and prevents their accounts from expiring. Also, in the dialup client properties, I had to click on "show terminal window" under the security tab in order to force a second window to open when the client tries dialling. This allows them to enter a new password. Also make sure under your user profile or group profile, can't remember which one, on the ACS you have the option checked off to force them to change password when the Admin. changes it. That's what I found works.

New Member

Re: ACS 3.1 user password changes


I have experiecing the same problem.

Anyone can help me? I probe several configuration and no work fine.

I have a:

*Cisco router 2612 (IOS 12.3(6)), this authenticate the dial-up user using Radius

*ACS for win 2000 Version 3.0(1) build 40, and

*CAA install in the client PC (win 2000 SP 4). The dial-up user are authenticate in the local ACS Data Base.

The problem is that the client never see the aging messaging.


New Member

Re: ACS 3.1 user password changes

I have been able to get this to work using the following method however it has not been very clean or pretty.

First you will need to install the user-changeable password software. It is easier to configure if you install it on the ACS server but can be installed on a separate server. In the second case you will need to define the server in the NDG's as a AAA server you can ignore the password field it just has to be defined,

Secondly you have to install the Cisco Authentication Agent (CAA) on the client machine just as a messaging service in order for the client to be prompted with a password change dialogue.

Hope this helps!

CreatePlease login to create content