Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1786
Views
0
Helpful
3
Replies

CS ACS Messages for failed user login attempts

brajar01
Level 1
Level 1

‎08-27-2003 08:24 AM - edited ‎03-10-2019 07:27 AM

If a user ID is disabled on CS ACS and the user tries to login after his account is locked out, he does not get any message. He is prompted again to enter his ID. Is there a message file where messages can be controlled for different kind of failed attempts like invalid user ID, account disabled, invalid password...

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎08-28-2003 05:14 PM

There is no way ACS can control what message is sent to the end user if his password is locked out. ACS merely responds to the NAS with a yes or a no on whether the user credentials are valid or not, it is then up to the NAS to allow or deny the connection, or in the special case of token new-pin mode, prompt the user for additional credentials. Adding log messages into ACS is not going to make anything appear to the end user. No way around this, sorry.

0 Helpful

brajar01
Level 1
Level 1
In response to gfullage

‎08-29-2003 06:55 AM

Thanks for the reply... But CS ACS does send messages to the client since the password expiration information is sent to the workstation... For example, if the password expiration is set, the following messages are received by the client

Username: test01

Password:

Your password will expire in 1 more logins

PS - additionally the "has expired" message is being sent:

3600-rtr>telnet 10.10.20.10

Trying 10.10.20.10 ... Open

Username: 10.10.20.10

Password:

Your password has expired.

Enter a new one now.

New Password:

Re-enter New password:

Password Changed

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to brajar01

‎08-29-2003 07:35 PM

ACS does NOT talk to the client directly at all.

The password expiration feature you describe is part of authenticating with MSCHAP. The NAS/router has to support that feature for which code was specifically written into IOS for it to do that, similarly for token new-pin mode. There is nothing in IOS code that is going to send a prompt/message to the user for when the users ACS account is disabled.

Hope that makes things clear.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents