Guys I am a bit stumped with this one. I am running ACS 5.1 for device (Router) administration only and using AD for the identity store. My question is when it is time for a user to change there AD password (90 days) and they log into a router can they get a message saying they need to change it?
I opened a TAC ticket about it and they are telling me that is not supported in v5.1, is that true? If not can I get some help on configuring this function.
Actually, it depends on the protocol.
Active Directory password notification uses MS-CHAP protocol. So if your router supports that protocol it will be OK. My guess is that you're using TACACS. I'm not sure if you can configure MS-CHAP in your router along with TACACS.
I have a similar problem when using ASA as VPN Concentrator. Here , ASA uses RADIUS along with MS-CHAP to tell ACS 5.1 about password notifications.
So this is more of a Router configuration issue then it is a ACS(TACACS) issue? Do you have any sample config for a router that I can test, or any documentatin that I can look at. I a mnot to familier with how that piece works.
The name of the feature you're looking for is "password expiry" and uses MS-CHAPv2
That's why the AAA Client (in your case, router), the AAA protocol (I'm guessing you're using TACACS), the AAA server (ACS 5.1), your Active Directory server, all of them must support MS-CHAPv2.
Sadly, I don't know if TACACS+ supports MS-CHAPv2 authentication. I know that Cisco Routers with RADIUS do support MS-CHAPv2 authentication for VPNs, (beginning IOS 12.4(6)T ) but I never tested it. The command is
aaa authentication login
In Cisco ASA also RADIUS supports password-expiry for VPNs. The command is
By the way, I have a case opened with Cisco TAC about password-expiry between ASA and ACS 5.1, because it seems there's a bug with ACS5.1 supporting MS-CHAPv2 password-expiry. I'll keep you posted about my findings.
Sorry guys I got a bit busy and was not able to dig any more into this.
So are you saying that if I use TACACS+ to allow admin access to my Cisco Routers, if I use AD to authenticate there ID's and Passwords (no local ACS accounts) it will not allow me to alert them when there PW is about or has expired?
Everything works perfectly right now using AD to authenticate and map AD groups to a ACS group, but it is not alerting my users when there passords are about to expire. So there accounts can get locked up if they dont change them.
I'm attempting the same thing, albeit a tiny bit differently..
I have an ASA supporting a VPN, and ACS 5.2 support TACACS, and RADIUS Authentications.
When a user is in "user must change password on next login" mode, the Login Prompt on the ASA just states that the "login failed". It doesn't prompt the user properly to change their password.
In ACS RADIUS Authentication Logs, I see the error message "24203 User need to change password" which is good, but the ASA is not understanding the reply from the ACS.
I also have a TAC Case open for this issue. Obviously it will be a bit different than ASA -> ACS -> AD.. but it might be the same principle with the password-expiry command.
Please update this thread if you've found an update.
I will definetly keep you in the loop, but TAC is telling me there is no way. Find it hard to believe this was not thougth of when 5.x was created and able to connect to AD for auth. I am just using tacacs for admin access to Routers, Switches and ASA's, no VPN access.
I actually heard back from TAC..
With my config, there isn't a way to do it..
I currently have users Authenticate to the VPN using RSA.. so the sequence goes ASA -> ACS -> RSA (if user not found fall back to ACS Internal User) -> ACS..
During the process of the tunnel from ACS -> RSA, the MSChap v2 is stripped, and the ASA never gets the password change request back to the ASA initiating the connection.
I could make this work by solely using ACS for authentication, but that's not how we want things to work here.
However, to make it work with ACS, there is a command I put into the Tunnel-group area called "password-management". I'm not sure if you can apply that to other parts of the config for device authentication or not,.. and I'm not sure if you can tie that in to AD authentication either.
Anyways, that's what I've found.
Sure can, the case number is: 616060259. I was working with TAC at the end of last year, I was just able to pick back up on this, that is why I figured I would try these forums next.
Let me know if find out anything.