We are using a cisco 3620 (IOS V 12.1.(5)T10) with ACS version 3.0(1) for Windows NT/2000. We use the RADIUS protocol and use the Windows 2000 user database to authenticate users.
We want users to change their password once it expired. But with ACS this does not work. The ACS log says that the user must change the password, but the user never gets this message. The result is that the user cannot dial-in because a change password is required.
If we use Steel-Belted Radius in stead of ACS every-thing goes well. And if we use the local ACS database to authenticate users - in stead of the windows 2000 user database - every-thing goes well too.
No, password changing of the external DB is not supported in ACS until MS-CHAPv2.
Here's an excerpt from the 3.0(2) release notes:
"MS CHAP version 2 Support and MS CHAP Password Aging SupportCisco Secure ACS supports MS CHAP version 2. In addition, we added an MS CHAP-based password-aging feature which works with the Microsoft Dial-Up Networking client, the Cisco VPN client (version 3.0 or greater), and any desktop client that supports MS CHAP. This feature prompts a user to change his or her password after a login where the user password has expired. The MS CHAP-based password-aging feature supports users who authenticate with a Windows user database and is offered in addition to password aging supported by the CiscoSecure user database.
It is currently supported in 12.2(2)XB6 and "should" (my best guess) be integrated into the next T train release after 12.2.(11)T.'
Keep in mind that Microsoft still has some issues with this feature on Win2k and WinXP, but it has been proven on this image with Win98 for sure. I can't speak for under what conditions the other OS's will or won't work.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :