Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Cisco ACS 4.1 and Microsoft AD integration

I have the following configuration:

Cisco ACS 4.1 is running on the Microsoft

Active Directory Server (all in the same box).

Ip address of this box is 192.168.1.1/24.

I have RSA SecurID Server running on

another box (192.168.1.2/24).

I tried to integrate Cisco ACS 4.1 with

Microsoft AD server. I can log into

cisco devices with account(s) I created

on the AD server.

what i would like to do is that whenever

I reset the password for user(s) on the

AD server, I want the user(s) to have

the ability to change the password of

the account on the cisco device, like

this:

[root@dca2-Linux root]# telnet 192.168.0.5

Trying 192.168.0.5...

Connected to 192.168.0.5 (192.168.0.5).

Escape character is '^]'.

User Access Verification

Username: test2

Enter PASSCODE:

Do you want to enter your own pin? (y or n) [n]

Enter your new Numerical PIN, containing 4 to 8 digits

or

"x" to cancel the new PIN procedure:

Reenter PIN:

C2960>

The above example is for ACS 4.1 and RSA SecurID

integration. I would like to do the same thing between

Cisco ACS 4.1 an Microsoft AD Server (running

on Windows 2003 Enterprise Server with Service

Pack 2). By the way, in ACS, I enable for ms-chap

both version 1 and version 2 and it still does not

work.

Anyone know how to fix this? Thanks.

7 REPLIES

Re: Cisco ACS 4.1 and Microsoft AD integration

So you want user should be able to change their AD password of there own...i.e. using

ALT CTRL DEL

Is that correct ?

New Member

Re: Cisco ACS 4.1 and Microsoft AD integration

hi,

Yes,that is correct. As we speak,

I can do that with SecurID and ACS

integration but I do not know how

to do it with ACS and Microsoft LDAP

integration.

New Member

Re: Cisco ACS 4.1 and Microsoft AD integration

Can someone help me out here? Thanks.

Re: Cisco ACS 4.1 and Microsoft AD integration

Kevin,

I don't think that is possible as ACS has no role to pay here. When user initiates password change request go straight to AD.

Regards,

~JG

New Member

Re: Cisco ACS 4.1 and Microsoft AD integration

JG,

Then how do you explain the following:

1) I can do password change between

Cisco 4.1 ACS and RSA SecurID integration,

2) I have remote access vpn user(s) for Cisco

Pix firewall and it uses Internet

Authentication Service (aka Microsoft Radius)

running the same server and I use Radius

authentication for remove VPN users (with

ms-chap and ms-chap version 2). VPN users

with Cisco VPN Client can change the password

through the VPN client. That proves that

there are mechanisms to do this.

OK the ACS/LDAP integration is not Microsoft

IAS but I would think that ACS has to be

able to do this. I just don't know how to

configure this.

Comments?

Re: Cisco ACS 4.1 and Microsoft AD integration

Kevin,

You use this software.

http://www.greyware.com/software/domainpassword/index.asp

With this User can change there AD password.

Hope that helps!

Regards,

~JG

New Member

Re: Cisco ACS 4.1 and Microsoft AD integration

JG,

I am aware of this software but I would like

to avoid that. I want to have the ability to

do it on network devices (aka cisco routers

and switches). Thanks.

593
Views
0
Helpful
7
Replies
CreatePlease to create content