Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS Password Policy

My company would like to replace the existing LDAP servers with Cisco ACS.  One requirement of our VPN security policy is that the user must change their VPN account password prior to their first log in.  If the user tries to connect to the VPN without changing their password, then they are denied access.

Is there a rule in ACS that can achieve this goal?

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

Hello Michael,

Hello Michael,

Yes, there is a way to change the password, you will need to define "password-management" under the tunnel group that you created for this connection with the AAA server that will authenticate users, please take into account the following information:

ACS can be configured to check the users in an AD database. Password expiry and change is supported when Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) is used;

On an ASA, you can use the password management feature, as described in the next section, in order to force the ASA to use MSCHAPv2. ACS uses the Common Internet File System (CIFS) Distributed Computing Environment/Remote Procedure Call (DCE/RPC) call when it contacts the Domain Controller (DC) directory in order to change the password.

ASA can use both the RADIUS and TACACS+ protocols in order to contact with the ACS for an AD password change, the command:

ASA(config)# tunnel-group general-attributes

ASA(config-tunnel-general)# password-management

For further information, on PAP and MSCHAP along with radius, you may find it here:

  http://www.cisco.com/c/en/us/support/docs/network-management/remote-access/116757-config-asa-remote-00.pdf

Please proceed to rate this post and the previous one and mark it as correct, keep me posted if something comes up!

Regards,

David Castro,

3 REPLIES

Hi Michael,

Hi Michael,

You can reset the password this way:

Resetting Another Administrator’s Password

To reset another administrator’s password:

*Step 1 Choose System Administration > Administrators > Accounts.

The Accounts page appears with a list of administrator accounts.

*Step 2 Check the check box next to the administrator account for which you want to change the password and click Change Password.

The Authentication Information page appears, listing the date when the administrator’s password was last changed.

*Step 3 In the Password field, enter a new administrator password.

*Step 4 In the Confirm Password field, re-enter the new administrator password.

*Step 5 Check the Change password on next login check box for the other administrator to change password at first login.

*Step 6 Click Submit.

The administrator password is reset. 

¿Which Type of Remote Access VPN are you using Anyconnect or VPN client IPsec?

Please rate and mark as correct the this post if it helped you! Keep me posted

David Castro,

New Member

I appreciate your response.

I appreciate your response.  The users will be connecting to the VPN via AnyConnect. For the AnyConnect users, is there an option to force them to change their password upon first login?  

Hello Michael,

Hello Michael,

Yes, there is a way to change the password, you will need to define "password-management" under the tunnel group that you created for this connection with the AAA server that will authenticate users, please take into account the following information:

ACS can be configured to check the users in an AD database. Password expiry and change is supported when Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2) is used;

On an ASA, you can use the password management feature, as described in the next section, in order to force the ASA to use MSCHAPv2. ACS uses the Common Internet File System (CIFS) Distributed Computing Environment/Remote Procedure Call (DCE/RPC) call when it contacts the Domain Controller (DC) directory in order to change the password.

ASA can use both the RADIUS and TACACS+ protocols in order to contact with the ACS for an AD password change, the command:

ASA(config)# tunnel-group general-attributes

ASA(config-tunnel-general)# password-management

For further information, on PAP and MSCHAP along with radius, you may find it here:

  http://www.cisco.com/c/en/us/support/docs/network-management/remote-access/116757-config-asa-remote-00.pdf

Please proceed to rate this post and the previous one and mark it as correct, keep me posted if something comes up!

Regards,

David Castro,

85
Views
5
Helpful
3
Replies
CreatePlease login to create content