Cisco Support Community

There is no warning about password expiry per password expiration rules set in the ACS database when a VPN connection using CiscoSecure ACS is authenticated

Core issue

When the password expiry feature is used for users located on the CiscoSecure ACS local database, the CiscoSecure Authentication Agent (CAA) must be installed in order for the password aging rule to work.


The CAA sits on a remote Cisco SOHO site client PC or a dial-in client PC served by a host network. The CAA provides a user GUI for end-users to access and manage their ISDN or dial-in connections to their host network with CiscoSecure ACS for Windows NT or CiscoSecure ACS for UNIX installed. The CAA is located on the CiscoSecure ACS installation CD in the ACS Utilities folder.

Refer to Cisco Secure Authentication Agent for more information on the CAA. If there are Windows users, configure the VPN 3000 Concentrator and CiscoSecure ACS in order to support the NT password expiration feature. Refer to Configure the Cisco VPN 3000 Series Concentrators to Support the NT Password Expiration Feature with the RADIUS Server for more information.