topic ACS 5.1 - How AD user can change password in Network Access Control

ACS 5.1 - How AD user can change password

sadiqallawati — Mon, 11 Mar 2019 00:09:40 GMT

Hi,

I have installed ACS 5.1 in one of our customer location, and I integrated with their AD successfully, authentication and authorization works perfectly.

My question is for example if from AD I forced the user to change the password at next logon. Now if this user login to the switch he will get the password change msg but after trying to change the password I get (authentication failed), which means he cannot change the password.

I have seen in the user guide document from cisco that this is possible but i was looking for a more detailed guide if possible.

Thanks

Re: ACS 5.1 - How AD user can change password

Jatin Katyal — Tue, 25 May 2010 12:31:08 GMT

Sadiq,

Are you trying SSH or Telnet for password change?

What error message are you getting in tacacs autnentication?

Also, please provide me the sh version from the device and following debugs

debugs tacacs

debug aaa authentication

term mon

MSCHAPv2 for Change Password

When you use EAP-MSCHAPv2 (as an EAP inner method) to authenticate a user whose password has expired, ACS sends a specific EAP-MSCHAPv2 failure notification to the client. The client can prompt the user for new password and then provide it to ACS inside the same conversation. The new password is encrypted with the help of the old one. When a user password is changed successfully, the new user password is stored in the credential database.

EAP-MSCHAPv2 change password is supported for AD and ACS internal identity store.

HTH

Do rate hopeful posts-

Re: ACS 5.1 - How AD user can change password

sadiqallawati — Tue, 25 May 2010 18:31:35 GMT

well my friend thanks alot for your reply.

My mistake, I was trying to use noncomplaint passwords, AD was rejecting those passwords. Afterwards I tried both SSH and TELNET both works well.