I have installed ACS 5.1 in one of our customer location, and I integrated with their AD successfully, authentication and authorization works perfectly.
My question is for example if from AD I forced the user to change the password at next logon. Now if this user login to the switch he will get the password change msg but after trying to change the password I get (authentication failed), which means he cannot change the password.
I have seen in the user guide document from cisco that this is possible but i was looking for a more detailed guide if possible.
What error message are you getting in tacacs autnentication?
Also, please provide me the sh version from the device and following debugs
debug aaa authentication
MSCHAPv2 for Change Password
When you use EAP-MSCHAPv2 (as an EAP inner method) to authenticate a user whose password has expired, ACS sends a specific EAP-MSCHAPv2 failure notification to the client. The client can prompt the user for new password and then provide it to ACS inside the same conversation. The new password is encrypted with the help of the old one. When a user password is changed successfully, the new user password is stored in the credential database.
EAP-MSCHAPv2 change password is supported for AD and ACS internal identity store.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :