Cisco Support Community
Community Member

CS ACS Messages for failed user login attempts

If a user ID is disabled on CS ACS and the user tries to login after his account is locked out, he does not get any message. He is prompted again to enter his ID. Is there a message file where messages can be controlled for different kind of failed attempts like invalid user ID, account disabled, invalid password...

Cisco Employee

Re: CS ACS Messages for failed user login attempts

There is no way ACS can control what message is sent to the end user if his password is locked out. ACS merely responds to the NAS with a yes or a no on whether the user credentials are valid or not, it is then up to the NAS to allow or deny the connection, or in the special case of token new-pin mode, prompt the user for additional credentials. Adding log messages into ACS is not going to make anything appear to the end user. No way around this, sorry.

Community Member

Re: CS ACS Messages for failed user login attempts

Thanks for the reply... But CS ACS does send messages to the client since the password expiration information is sent to the workstation... For example, if the password expiration is set, the following messages are received by the client

Username: test01


Your password will expire in 1 more logins

PS - additionally the "has expired" message is being sent:


Trying ... Open



Your password has expired.

Enter a new one now.

New Password:

Re-enter New password:

Password Changed

Cisco Employee

Re: CS ACS Messages for failed user login attempts

ACS does NOT talk to the client directly at all.

The password expiration feature you describe is part of authenticating with MSCHAP. The NAS/router has to support that feature for which code was specifically written into IOS for it to do that, similarly for token new-pin mode. There is nothing in IOS code that is going to send a prompt/message to the user for when the users ACS account is disabled.

Hope that makes things clear.

CreatePlease to create content