https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820374#M41074 <P><A href="http://www.nfrontsecurity.com/products/nfront-password-filter/index.php">nFront has a solution</A> (shows up through an easy google-search), there a probably many more.</P> Mon, 11 Jan 2016 11:55:43 GMT Karsten Iwen 2016-01-11T11:55:43Z https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820369#M41069 <P>Hi All,</P> <P>Given that Microsoft Active Directory has two limitations as follows:</P> <UL> <LI><SPAN style="line-height: normal;">Cannot reject specific word to be used in Password Reset (e.g. company name)</SPAN></LI> <LI><SPAN style="line-height: normal;">Cannot enforce Special Characters as Mandatory Complexity requirements (i.e. AD can accept the password if user submit on the following complexity "Upper Case, Lower Case, Alphanumeric , Special Characters"</SPAN></LI> </UL> <P><SPAN style="line-height: normal;">Accordingly i need your help if there is solution can modify password policy on the Active Directory&nbsp;</SPAN></P> <P>Thanks a lot in advance</P> Mon, 11 Mar 2019 06:22:48 GMT https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820369#M41069 Mohamed_Abdelbaky1 2019-03-11T06:22:48Z https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820370#M41070 <P>Perhaps you better ask in a Microsoft forum. There you'll probably get more detailed help.</P> <P>At least your problem should be possible to solve with the help of <A href="https://msdn.microsoft.com/en-us/library/ms721882(VS.85).aspx">password-filters</A>.</P> Mon, 11 Jan 2016 09:46:49 GMT https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820370#M41070 Karsten Iwen 2016-01-11T09:46:49Z https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820371#M41071 <P>Thanks Karsten,</P> <P>I think you got my question wrong as i'm asking if there is Cisco AAA Solution (e.g. ISE, ACS) can do these requirements.</P> <P></P> Mon, 11 Jan 2016 09:51:42 GMT https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820371#M41071 Mohamed_Abdelbaky1 2016-01-11T09:51:42Z https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820372#M41072 <P>Ok, the <A href="http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_01101.html#concept_E441E6E4FC9D497483613C34E4779EC2">password policy in ISE could match your needs</A>, but it's always the policy of the authentication system that enforces the policy. If your users are in AD, then the AD-rules are in place. Only if your users are local to the ISE, these rules are enforced. That's probably not what you want to have.</P> Mon, 11 Jan 2016 10:00:12 GMT https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820372#M41072 Karsten Iwen 2016-01-11T10:00:12Z https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820373#M41073 <P>Unfortunately Yes, Users should be kept on AD , i'm wondering if there is Solution can do these requirements while remaining Users Database on AD itself.</P> Mon, 11 Jan 2016 10:14:32 GMT https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820373#M41073 Mohamed_Abdelbaky1 2016-01-11T10:14:32Z https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820374#M41074 <P><A href="http://www.nfrontsecurity.com/products/nfront-password-filter/index.php">nFront has a solution</A> (shows up through an easy google-search), there a probably many more.</P> Mon, 11 Jan 2016 11:55:43 GMT https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820374#M41074 Karsten Iwen 2016-01-11T11:55:43Z https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820375#M41075 <P>Thanks again Karsten,</P> <P>i'm targeting Cisco Solution , not any software</P> <P>your help is appreciated and i will keep looking for another solution</P> Mon, 11 Jan 2016 12:50:55 GMT https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820375#M41075 Mohamed_Abdelbaky1 2016-01-11T12:50:55Z https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820376#M41076 <P>Hi Mohamed,</P> <P>From the discussion, I understood that you want the users to be kept on the AD however the password policy defined on AD has few limitations and you want the authentication server to overwrite the password policy for the authentication query while communicating to the AD. Well that would not be possible. The password policy will be checked for the identity store you have selected on ACS/ISE/ 3rd party AAA server. That means if on ACS server you authentication settings have LOCAL database as an identity store then local database password policy will be applied and if you have AD configured then its own password policy. You need to find out if the above 2 password policy requirements can be modified on the AD itself.</P> <P></P> <P>Regards - Jatin</P> Mon, 11 Jan 2016 13:58:42 GMT https://community.cisco.com/t5/network-access-control/enforce-password-complexity-on-microsoft-active-directory/m-p/2820376#M41076 Jatin Katyal 2016-01-11T13:58:42Z