Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

How to set Password History in ACS? Sarbanes-Ox...

I am using acs 4.0 for tacacs auth to network devices. I need to be able to force the password history to prevent users from using any of the previous 5 passwords. I see that there is an option to prevent from using the "last" one, but not 5. Can I overwrite this somewhere?

thanks -j


Re: How to set Password History in ACS? Sarbanes-Ox...


The latest version of ACS (4.1) has new features specifically designed to address SOX issues:

"This release contains new ACS administrator permissions to improve password management and audit reports for regulatory compliance; for example, Sarbanes-Oxley (SOX). ACS includes the following capabilities for:"


* Forcing periodic change of administrator?s password.

* Applying password structure policy.

* Forcing administrator's password change for inactive account.

* Preventing the reuse of old password (password history).

* Disabling administrator accounts for inactivity.

* Disabling administrator accounts after failed logins.

* Allowing ACS administrators to change their own passwords.

Audit and Reporting:

* Logging all administrative actions via system logging (syslog), in addition to existing logging targets.

* Controlling administrators? access to log file configuration to prevent specific audit logging from being disabled.

* Adding new reports for administrators privileges.


* Providing a read-only privilege for users and groups.

HTH - plz rate if useful.



Re: How to set Password History in ACS? Sarbanes-Ox...


If you're looking at SOX compliance, please take a look at aaa-reports! We can import the ACS database to document your TACACS+ config.

Not only that, but we can run reports to show:

* What devices a user/group can access (via NARs)

* What commands a user/group can execute (via NDG->DCS mappings)

* User password/account statuses

* DCS/NAR references (ie which groups)

* Unreferenced DCS/NAR (ie redundant)

* Much more!

..and all that in addition to regular reports driven off accounting, passed/failed attempts etc

CreatePlease to create content