Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACS 4.2 - External DB Password Expiry not working as expected

The setup is a VPN Client 5.0 connecting using a VPN Concentrator 3015 (Using RADIUS with password expiry). ACS is setup using a External DB (Windows2k3 DC) with MC-CHAPv1/v2 password changes enabled.

Everything is working. However, when user password is expired the client does not prompt for password change.

ACS can see the failed attemps as 'Authen-Failure-Code - Windows user must change password'. Without the prompt however, the user cannot change his/her password.

Any feedback is welcome. Thanks.


Re: ACS 4.2 - External DB Password Expiry not working as expecte


Please make sure it is configured as per this link,



Do rate helpful posts

Community Member

Re: ACS 4.2 - External DB Password Expiry not working as expecte

Hi JG,

Thanks for the reply. The exact guide has been followed as closely as possible (but not to the dot as some fields are missing due to version differences) but the issue persists.

Wondering if there's any known bug/gotchas for this spec:-

- Cisco ACS v4.2 (Running on 1113 SE)

- Win2K3 Enterprise/DC running ACS RA (isolated native domain - no child/trusted r'ship setup)

- VPN Concentrator 3015 v4.7.2

- VPN client

Straight authentication is definitely ok - it's just the password expiry prompt not given. The system admin has assured me the AD is running ok but I wonder if there's any special configuration that we should be especially aware of (I have showed him this: and able to verify that the settings have been followed).

Any comment is welcome. Thanks.

CreatePlease to create content