Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN authentication using ACS 3.1(1) db

Is it possible using ACS to not only allow users using a Cisco VPN Client the ability to authenticate to a VPN 3000 concentrator, but also the ability to change their password ?

We are currenlty using a Win2000 domain via the ACS box to authenticate users, we would like to remove the domain from the current setup and just use ACS. The problem we encountered with earlier versions of ACS was once a user id/pass was setup, the user had no ability to change their password (using the cisco client) when logging into vpn for the first time, or the ability to expire a user password after 6 months and then prompt them for a new one. We don't want to have to give users a utility to install to do this.

Is this functionality available in ACS 3.1(1) ?

Cisco Employee

Re: VPN authentication using ACS 3.1(1) db

This is more a function of the VPN client and the VPN concentrator, cause it has to detect the password has expired and prompt the user.

This feature has been in the VPN concentrator and client since 3.5 code, see and for details, but basically select the "Radius with Expiry" option under the IPSec tab in the group parameters.

The Radius server has to support MSCHAPv2, which ACS v3.1(1) does. You also have to continue to use the NT database with it, this doesn't work when the usernames are stored on the local ACS database.