https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231725#M373726 <HTML><HEAD></HEAD><BODY><P>Is this bug fixed already??? I need to configure password aging for vpn clients with</P><P>users configured on the internal ACS Database.</P><P></P><P>Regards,</P><P></P><P>Fernando</P></BODY></HTML> Wed, 16 Dec 2009 00:57:43 GMT fernandoaguirre 2009-12-16T00:57:43Z https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231716#M373442 <P>I am trying to configure password aging for my VPN clients. What I have is a Cisco VPN Concentrator 3000 series that uses an Cisco ACS server 3.3 for user authentication using the local database. The users are using the Cisco VPN Client, 4.x. We are upgrading the ACS server to 4.2 shortly if that helps. </P><P></P><P>What I want to be able to do is set the Password Aging rules on the groups in Cisco ACS and have this information pass to the user via the VPN client. So for example:</P><P></P><P>---The user is assigned to group "Accounting" in Cisco ACS. This group has the Password Aging rule- Apply age-by-uses rules. Issue warning after "2" logins and Require change after "4" logins.</P><P></P><P>---The user logs in using the Cisco VPN client and while logging in for the 3rd time receives the message that their account will expire after the next login.</P><P></P><P>---This user then has the ability to change their password using the Cisco VPN client.</P><P></P><P>This seems like it should be fairly straightforward to setup but I have not come across much documentation that spells out the steps to make this work.</P> Sun, 10 Mar 2019 23:26:41 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231716#M373442 smolz 2019-03-10T23:26:41Z https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231717#M373499 <HTML><HEAD></HEAD><BODY><P>This functionality would be very useful... but its not there.</P><P></P><P>ACS password ageing only works with TACACS+ shell login. AKAIK the password expiry messages are not carried over RADIUS at all.</P></BODY></HTML> Fri, 17 Apr 2009 13:03:58 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231717#M373499 darpotter 2009-04-17T13:03:58Z https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231718#M373563 <HTML><HEAD></HEAD><BODY><P>I seem to remember reading about using a Microsoft IAS radius server that it would push that through to the VPN client. </P><P></P><P>Without the ability for users to change their passwords remotely this seems like an really incomplete solution. </P></BODY></HTML> Fri, 17 Apr 2009 18:04:06 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231718#M373563 smolz 2009-04-17T18:04:06Z https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231719#M373605 <HTML><HEAD></HEAD><BODY><P>RADIUS Password Expiry is supported with External windows database using MS-CHAPv2. We cannot use RADIUS Password Expiry with local ACS database.</P><P></P><P>Here is a configuration example:</P><P>Configure the Cisco VPN 3000 Series Concentrators to Support the NT Password Expiration Feature with the RADIUS Server</P><P></P><P>Document ID: 12086</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800946b9.shtml" target="_blank">http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800946b9.shtml</A>#</P></BODY></HTML> Fri, 17 Apr 2009 18:18:14 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231719#M373605 ansalaza 2009-04-17T18:18:14Z https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231720#M373650 <HTML><HEAD></HEAD><BODY><P>According to the literature:</P><P></P><P>Q. Does Cisco Secure ACS support forced password change based on password age and other criteria?</P><P>A. Password aging is available for users in the ACS internal database and users in a Microsoft Windows Active Directory database.</P><P></P><P>Does this not apply?</P></BODY></HTML> Fri, 17 Apr 2009 18:29:43 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231720#M373650 smolz 2009-04-17T18:29:43Z https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231721#M373679 <HTML><HEAD></HEAD><BODY><P>How does this apply if I am using SSL VPN client/clientless through an Cisco ASA? </P></BODY></HTML> Fri, 17 Apr 2009 18:39:27 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231721#M373679 smolz 2009-04-17T18:39:27Z https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231722#M373683 <HTML><HEAD></HEAD><BODY><P>Yes, it does: </P><P></P><P>ACS 3.3:</P><P>Cisco Secure ACS supports four distinct password aging mechanisms: </P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/g.html#wp479534" target="_blank">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/g.html#wp479534</A></P><P></P><P>ACS 4.2:</P><P>Varieties of Password Aging Supported by ACS </P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp525115" target="_blank">http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp525115</A></P></BODY></HTML> Fri, 17 Apr 2009 18:42:49 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231722#M373683 ansalaza 2009-04-17T18:42:49Z https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231723#M373704 <HTML><HEAD></HEAD><BODY><P>For SSL:</P><P></P><P>Make sure you have MS-CHAP V2 enabled on AD.</P><P></P><P>Add password management to the tunnel-group.</P><P></P><P>tunnel-group DefaultWEBVPNGroup general-attributes</P><P> password-management</P><P></P><P></P><P>Password-management command support on ASA:</P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp1000458" target="_blank">http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp1000458</A> </P><P></P></BODY></HTML> Fri, 17 Apr 2009 18:51:26 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231723#M373704 ansalaza 2009-04-17T18:51:26Z https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231724#M373716 <HTML><HEAD></HEAD><BODY><P>There is an enhancement request filed for this:</P><P></P><P>CSCsj50218 Bug Details</P><P>Password expiry feature should be support for users local to ACS</P><P></P><P>Symptom:</P><P></P><P>ACS currently does not support password expiry / password management feature for locally configured users.</P><P></P><P>Conditions:</P><P></P><P>users are configured locally on ACS as opposed to an external database such as active directory.</P><P></P><P>Workaround:</P><P></P><P>user external database / server where user profiles are setup.</P></BODY></HTML> Fri, 17 Apr 2009 19:09:21 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231724#M373716 ansalaza 2009-04-17T19:09:21Z https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231725#M373726 <HTML><HEAD></HEAD><BODY><P>Is this bug fixed already??? I need to configure password aging for vpn clients with</P><P>users configured on the internal ACS Database.</P><P></P><P>Regards,</P><P></P><P>Fernando</P></BODY></HTML> Wed, 16 Dec 2009 00:57:43 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231725#M373726 fernandoaguirre 2009-12-16T00:57:43Z https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231726#M373732 <HTML><HEAD></HEAD><BODY><P>Password expiry for internal users is supported in ACS 5.1. ACS 5.1 is</P><P>available for download from CCO.</P></BODY></HTML> Wed, 16 Dec 2009 06:13:29 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231726#M373732 jrabinow 2009-12-16T06:13:29Z https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231727#M373739 <HTML><HEAD></HEAD><BODY><P>Hello.</P><P></P><P>This is rather old topic but I hope to find help here <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/images/emoticons/happy.gif"></SPAN></P><P></P><P>Our users are connecting to VPN3000 and authenticated from internal database of ACS 5.1 via RADIUS between these devices. We've installed UCP service. Now I want to remind user whose password should be expired soon that he can change it via UCP (e. g. with link to UCP page). Is there any way to do it with standard features of ACS 5.1 and VPN3000 ?</P><P></P><P></P><P>Thanks in advance for any help.</P><P></P><P>Pavel.</P></BODY></HTML> Mon, 28 Feb 2011 01:31:52 GMT https://community.cisco.com/t5/network-access-control/cisco-acs-password-expiration/m-p/1231727#M373739 pbaleshenko 2011-02-28T01:31:52Z