topic Re: Password expired in Network Access Control

Password expired

acontes — Mon, 11 Mar 2019 02:05:05 GMT

Hi,

today we had an issue with our ACS 5.2.0.26.8. For some 802.1x Accounts i have configured ACS–RESERVED–Never–Expired=True but today all of them were set to expired as i could see in the ACS Instance Logfile. Blocking Reason=PASSWORD_EXPIRED.

Any hints on that?

Regards, Andreas

Password expired

maldehne — Mon, 14 May 2012 06:21:51 GMT

Hi Andreas

What type of EAP authentication are you using?

Can you please send me screen shots from Users --> Authentication Settings

Screen shot from the Access Service where the EAP protocols detailed are viewed?

Sample screen shot from the settings of internal user?

Regards

Password expired

Dominic Stalder (old profile) — Tue, 15 May 2012 09:37:36 GMT

Hi maldehne

we have the same problem, I used it for TACACS+ Authentication, here you find the "allowed protocols" for our access service.

Do I need to enable MSCHAPv2 for ACS-RESERVED-Never-Expired to work?

Best regards

Dominic

Password expired

maldehne — Tue, 15 May 2012 11:23:33 GMT

Hello Dominic

Please try to redefine the attribute again by manually entering the attribute, sometimes copy and paste might cause replacement of '-' with space. I have seen that in one case before.

Also do you have any policy condition mapped to the attribute , if so try to disable it and let me know how it goes.

Regards

Re: Password expired

Dominic Stalder (old profile) — Tue, 15 May 2012 11:38:30 GMT

Hi maldehne

thanks for your fast feedback. Indeed, when I entered the attribute manuelly, the dropdown (with previous entered values) of the browser disapeared after the ACS-, so there was a copy/paste problem.

BUT this did not solve the problem yet, I still get the following login prompt:

username: test2

password:

Enter new password:

Below you see some more configuration details. We use ACS 5.3.0.40.

Thanks a lot and best regards

Dominic

Re: Password expired

maldehne — Tue, 15 May 2012 21:36:54 GMT

Please make sure that your setup has been done according to th following:

STEP 1:

To make internal user accounts never expire, Go to System Administration >

Users > Authentication Settings:

. Select the "Advanced" tab and select "Never" under "Account

Disable".

If you want to notify users for password expiry then under the "Advanced"

tab:

. Select "Display Reminder after n days" under "Password Lifetime"

("n" can be days from 1 to 365)

STEP 2:

1) System Administration > Configuration > Dictionaries > Identity >

Internal Users add Boolean attribute with name "ACS-RESERVED-Never-Expired"

and set it to false.

2) Go to the user you don't want the password to expire and set the

"ACS-RESERVED-Never-Expired" this field to be true, do the same for each

account that you do not want the password to expire

Re: Password expired

Dominic Stalder (old profile) — Tue, 15 May 2012 22:31:26 GMT

Great, I did not know, that the default value has to be FALSE in anyway, I thought I can use TRUE OR FALSE, but it is definitely only FALSE.

Thanks a lot and best regards (5 points to go... 😉

Dominic

Re: Password expired

maldehne — Wed, 16 May 2012 06:22:56 GMT

BTW Dominic please make sure to flag the thread as solved.

Re: Password expired

Dominic Stalder (old profile) — Wed, 16 May 2012 06:34:34 GMT

I would like, but because it is not MY discussion, I can not mark your great answer as the correct one!

Sorry for that.

Best regards

Dominic

Password expired

acontes — Fri, 28 Sep 2012 08:25:58 GMT

Before, authentication failed because of "password expired".

But now I am struggling with an another issue. The password now will not expire, but authentications failed because of the following reason "24203 User need to change password".

cant believe that...

I have to say this: ACS 5 is a really epic fail with these user specific parameters. i cant migrate my 802.1x users, my vpn users and my technical users (i.e. for cisco works). all because of this password expire "thing".

Looks like i really have to buy 2 acs systems. one with tacacs config for device administration and password expiration and one with radius config for network access without password expiration 😕