today we had an issue with our ACS 22.214.171.124.8. For some 802.1x Accounts i have configured ACS–RESERVED–Never–Expired=True but today all of them were set to expired as i could see in the ACS Instance Logfile. Blocking Reason=PASSWORD_EXPIRED.
Any hints on that?
What type of EAP authentication are you using?
Can you please send me screen shots from Users --> Authentication Settings
Screen shot from the Access Service where the EAP protocols detailed are viewed?
Sample screen shot from the settings of internal user?
we have the same problem, I used it for TACACS+ Authentication, here you find the "allowed protocols" for our access service.
Do I need to enable MSCHAPv2 for ACS-RESERVED-Never-Expired to work?
Please try to redefine the attribute again by manually entering the attribute, sometimes copy and paste might cause replacement of '-' with space. I have seen that in one case before.
Also do you have any policy condition mapped to the attribute , if so try to disable it and let me know how it goes.
thanks for your fast feedback. Indeed, when I entered the attribute manuelly, the dropdown (with previous entered values) of the browser disapeared after the ACS-, so there was a copy/paste problem.
BUT this did not solve the problem yet, I still get the following login prompt:
Enter new password:
Below you see some more configuration details. We use ACS 126.96.36.199.
Thanks a lot and best regards
Please make sure that your setup has been done according to th following:
To make internal user accounts never expire, Go to System Administration >
Users > Authentication Settings:
. Select the "Advanced" tab and select "Never" under "Account
If you want to notify users for password expiry then under the "Advanced"
. Select "Display Reminder after n days" under "Password Lifetime"
("n" can be days from 1 to 365)
1) System Administration > Configuration > Dictionaries > Identity >
Internal Users add Boolean attribute with name "ACS-RESERVED-Never-Expired"
and set it to false.
2) Go to the user you don't want the password to expire and set the
"ACS-RESERVED-Never-Expired" this field to be true, do the same for each
account that you do not want the password to expire
Great, I did not know, that the default value has to be FALSE in anyway, I thought I can use TRUE OR FALSE, but it is definitely only FALSE.
Thanks a lot and best regards (5 points to go... ;-)
I would like, but because it is not MY discussion, I can not mark your great answer as the correct one!
Sorry for that.
Before, authentication failed because of "password expired".
But now I am struggling with an another issue. The password now will not expire, but authentications failed because of the following reason "24203 User need to change password".
cant believe that...
I have to say this: ACS 5 is a really epic fail with these user specific parameters. i cant migrate my 802.1x users, my vpn users and my technical users (i.e. for cisco works). all because of this password expire "thing".
Looks like i really have to buy 2 acs systems. one with tacacs config for device administration and password expiration and one with radius config for network access without password expiration :-/