topic Re: Password Aging & Account Lockout in ACS 4.2 in Network Access Control

Password Aging & Account Lockout in ACS 4.2

yusuf.ujjainwala — Mon, 11 Mar 2019 00:42:05 GMT

I have a requirement that in ACS the user accounts should get disabled after 1 day , so in the group setting under the Password Aging Field I configured the same as 1 day , the Grace & Warning Period is 0 days

I want that all these user accounts would be active for 30 days , and the moment the account is used (i.e the Start Message appears in the Radius Accounting ) then after 1 day from the usage then as per the Password Aging Rule the account should get expired.

Now my query is this password aging rule will start from the day I create the account in the ACS or from the day the user logs in.

I don’t want to use the Account Lockout Tab as I don’t know when the guest account would be used.

Request someone to help pls clarify my doubt.

Regards

Re: Password Aging & Account Lockout in ACS 4.2

andamani — Sat, 08 Jan 2011 07:10:11 GMT

Hi Yusuf,

Password Aging on ACS will just prompt to change the password. it will not disable the account.

The Account is present on the AD. So the Disabling and lockout features for an account will come from the AD.

I don't think a change in password for a guest account is what you would want to do.

Also according to me disabling the account should be a feature only for the AD admin and not open. A lockout can definately happen but that also has to be defined on the AD.

The link to password Aging on ACS is as follows:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp525115

Hope this helps.

Regards,

Anisha

P.S.: please mark this string as answered if you feel the query is answered.

Re: Password Aging & Account Lockout in ACS 4.2

yusuf.ujjainwala — Sat, 08 Jan 2011 07:29:20 GMT

Hi Anisha

Thanks for the reply.

You are correct that we dont want the guest to change the password. Our idea is that we will create generic accounts whose account validity would be say for 30 days. Now within the 30 days whenever the account is used then if the Password Aging Parameter is set as 1 day then after 1 day of usage the password would get expired and we know for sure that the guest would not be able to use the account even though it is active.

We are not creating any accounts on the AD , all the accounts are on the local ACS internal database.

I am not clear if the requirement can be met through the Password Aging Parameter.

Re: Password Aging & Account Lockout in ACS 4.2

andamani — Sat, 08 Jan 2011 07:44:52 GMT

Hi Yusuf,

Password aging is used when the users are present in AD.

i guess to restrict the access of the account on the local database of the ACS, one can try the combinations of set max sessions, user usage quotas and user account disablement.

I have never tried it. I am not sure if that will work, but i guess it is worth a try.

The link which explains the following is as following:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrMgt.html#wp273024

Regards,

Anisha.

P.S.: please mark this thread as answered if you think your query is answered.

Re: Password Aging & Account Lockout in ACS 4.2

yusuf.ujjainwala — Sat, 08 Jan 2011 08:24:56 GMT

I will go with your suggestion of the Usage Policy etc

Thanks very much