Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
0
Helpful
6
Replies

User change his password after first login in ACS 4.1

shereifonline
Level 1
Level 1

‎04-23-2008 02:01 AM - edited ‎02-21-2020 10:20 AM

How can I force the users of my ACS to change thier passwords after the first login??

Labels:
0 Helpful
6 Replies 6

cisco24x7
Level 6
Level 6

‎04-23-2008 03:30 AM

I do not think Cisco ACS can do that by itself.

What you can do is to use "external database"

for authentication such as RSA SecurID, with

ACS integration. It does work, as seen

below:

[root@LinuxES root]# telnet 192.168.1.4

Trying 192.168.1.4...

Connected to 192.168.1.4 (192.168.1.4).

Escape character is '^]'.

User Access Verification

Username: test1

Enter PASSCODE:

Enter your new Numerical PIN, containing 4 to 8 digits

or

"x" to cancel the new PIN procedure:

Reenter PIN:

BGP_Trigger>

CCIE Security

0 Helpful

shereifonline
Level 1
Level 1
In response to cisco24x7

‎04-23-2008 03:56 AM

Can we do this if we integrate between ACS and the Windows Domain controller? the RSA is not available now.

appreciate your help. Thanks.

0 Helpful

cisco24x7
Level 6
Level 6
In response to shereifonline

‎04-23-2008 04:38 AM

do not quote me on this but according to what

I've tested about 6 months, it does not work

with Active Directory, from what I've tried

to accomplished; i.e. telnet to the router

with AD accounts proxy from ACS.

Maybe I did not setup the AD server correctly,

unlikely, but from what I've tested, it does

not work with Cisco IOS when telneting into

a cisco device.

0 Helpful

Jagdeep Gambhir
Level 10
Level 10

‎04-23-2008 12:09 PM

Hi,

You can configure password aging on ACS for ACS users, or (as in your case) you configure

password aging on your Windows Active

Directory database.

Please take a look at this document below, as I believe it provides the required

information you need to properly configure password aging for your Windows users in ACS:

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs

33/user/g.htm#wp479732

To support password-aging using Windows active directory we need to have AAA client

configured for radius.

Below link gives more information on this.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs

33/user/g.htm#wp479732

For password expiry to work with tacacs we need to have the username and passwords

configured locally on the ACS server.

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs

33/user/o.htm#wp792652

Regards.

~JG

Do rate helpful posts

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to Jagdeep Gambhir

‎04-23-2008 12:14 PM

RADIUS Password Expiry is supported with External windows database using MS-CHAPv2. We cannot use RADIUS Password Expiry with local ACS database

0 Helpful

shereifonline
Level 1
Level 1
In response to Jagdeep Gambhir

‎04-24-2008 02:12 AM

Thanks you all for your precious suuport.

I found a link that can help in this without integrating with any thing. I though to send it to you all in case you need this in the future.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/installation/guide/passwords/ucp.html

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents