Determining Password Expiriy For User Accounts in ACS 5.3.0.40

djherteen · ‎08-14-2013

Greetings CSC Community,

I am running Cisco ACS server version 5.3.0.40, for which my organization uses to provide persistant read-only or time restricted read-write access to devices under our control.

The problem I am facing is that the majority of these third-party accounts may only login every 60-90+ days as needed which is beyond what our global password lifetime configuration is set at, this is resulting in quite a few trouble tickets with our NOC when they can't access devices due to password expiry.

So while we do have notifcations set to remind users to change their password when the device is accessed, this alone is not effective since the majority have their passwords expire prior to the login attempt.

I have tried to find something under "Alarms" in Monitoring & Reporting where I can set a threshold for account inactivity and generate an e-mail but so far I can only find authentication inactivity per instance or device, not per user or Identity Group.

Do any CSC users out here have any ideas how I can leverage ACS functionality to provide a more proactive solution to this problem.

Any suggestions or ideas are much appricated.

Thanks,

Darin

Muhammad Munir · ‎09-09-2013

Hi

The Monitoring feature in ACS generates alarms to notify you of critical system conditions. The monitoring component retrieves data from ACS. You can configure thresholds and rules on this data to manage alarms.

Alarm notifications are displayed in the web interface and you can get a notification of events through e-mail and Syslog messages. ACS filters duplicate alarms by default.

The alarm threshold category. Options can be:

•Passed Authentications

•Failed Authentications

•Authentication Inactivity

•TACACS Command Accounting

•TACACS Command Authorization

•ACS Configuration Changes

•ACS System Diagnostics

•ACS Process Status

•ACS System Health

•ACS AAA Health

•RADIUS Sessions

•Unknown NAD

•External DB Unavailable

•RBACL Drops

•NAD-reported AAA Down

For more information regarding configuration and deployment, please go through this link:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/viewer_monitoring.html#wp1098902

harvisin · ‎09-10-2013

Hello,

I think you need to go for ACS 5.4 as ACS 5.4 supports an account disablement policy for each individual user. This option allows you to disable user accounts when the configured date is exceeded. This option overrides the global account disablement policy of the users. This means that the administrator can configure different expiration dates for different users, as required. The default value for this option is 60 days from the account creation date.

SO by this you may have an option to extend that expiration date

Jatin Katyal · ‎09-13-2013

Hi degerteen,

I guess you're using this for all internal accounts to manage your network devices like router and switches.

System Administration > Users > Authentication Settings > you will see 2 tabs

1.] Password complexities

2.] Advanced tab

Click on Advanced tab and you'll see an option "Disable user account after n days if password is not changed" The valid options are from 1 to 365.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1166250

Aren't you doing the same thing already? Let me know if you have any issues.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

s.balon · ‎10-08-2013

Hi,

I have the same kind of issue.

I use the option given by jatin katyal.

But I would like to have dedicated user which never expire, by example a specific login for performing backup with only the rights to perform "show running" command.

So my question is : Can we specifify a group of user which never expire and all the rest which are forced to change their password after a given number of day.

Thanks for your help.

Steve Balon