https://community.cisco.com/t5/network-access-control/caa-problem/m-p/217454#M435194 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>CAA is just a method to transfer the messaging (about password aging) from ACS to the client (not related to NAS).</P><P>It uses udp port 7500 and it's important the NAS doesn't have any ACLs blocking it.</P><P></P><P>You need to install CAA on the client , configure password aging rules on the user/group in ACS DB and then when the user reaches the specific rule , a message should pop up on the client alerting the user that its password expires in X days etc...</P><P></P><P>Radius is the method ACS talks to the NAS and doesn't have anything to do with CAA.</P><P></P><P>CAA is working when NAS is talking Radius to ACS , ofcourse.</P><P></P><P>Ami</P></BODY></HTML> Fri, 14 Nov 2003 20:06:44 GMT aschiebe 2003-11-14T20:06:44Z https://community.cisco.com/t5/network-access-control/caa-problem/m-p/217451#M435191 <P>Hi</P><P></P><P>I am trying to get CiscoSecure Authentication Agent working: Does anyone know whether it can work in my configuration.</P><P></P><P>ACS 3.2 using Radius</P><P>The NAS is a 2611 router (home gateway) running IOS 12.2</P><P></P><P>The main reason for CAA is to get ACS's Password Ageing functionality.</P><P>Thanks</P><P>P</P> Sun, 10 Mar 2019 14:33:57 GMT https://community.cisco.com/t5/network-access-control/caa-problem/m-p/217451#M435191 pvanvuuren 2019-03-10T14:33:57Z https://community.cisco.com/t5/network-access-control/caa-problem/m-p/217452#M435192 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>Depending on the location of your users you may choose CAA/UCP or MSCHAPv2 for Password Aging functionality.</P><P>If ACS is authenticating to Active Directory - you need to choose MSCHAPv2.</P><P>If ACS is using its internal DB - UCP (User Changeable Password) or CAA (CiscoSecure Authentication Agent) are your choices.</P><P></P><P>CAA is described thoroughly in <A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/secureaa/csaa3b.htm" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/secureaa/csaa3b.htm</A></P><P></P><P>Ami</P></BODY></HTML> Wed, 12 Nov 2003 21:25:36 GMT https://community.cisco.com/t5/network-access-control/caa-problem/m-p/217452#M435192 aschiebe 2003-11-12T21:25:36Z https://community.cisco.com/t5/network-access-control/caa-problem/m-p/217453#M435193 <HTML><HEAD></HEAD><BODY><P>Ok, its starting to become a bit clearer to me now. </P><P>ACS will not be authenticatin towards AD. We're using the internel ACS user databse. I have tested UCP and it works very well. Even the reporting side of it too. I want to use CAA , but the online documentation is a bit vague. </P><P></P><P>Can I use RADIUS with CAA? </P><P>And are there anything in regards to config that are important to have.</P><P>Thanks.</P></BODY></HTML> Fri, 14 Nov 2003 10:29:03 GMT https://community.cisco.com/t5/network-access-control/caa-problem/m-p/217453#M435193 pvanvuuren 2003-11-14T10:29:03Z https://community.cisco.com/t5/network-access-control/caa-problem/m-p/217454#M435194 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>CAA is just a method to transfer the messaging (about password aging) from ACS to the client (not related to NAS).</P><P>It uses udp port 7500 and it's important the NAS doesn't have any ACLs blocking it.</P><P></P><P>You need to install CAA on the client , configure password aging rules on the user/group in ACS DB and then when the user reaches the specific rule , a message should pop up on the client alerting the user that its password expires in X days etc...</P><P></P><P>Radius is the method ACS talks to the NAS and doesn't have anything to do with CAA.</P><P></P><P>CAA is working when NAS is talking Radius to ACS , ofcourse.</P><P></P><P>Ami</P></BODY></HTML> Fri, 14 Nov 2003 20:06:44 GMT https://community.cisco.com/t5/network-access-control/caa-problem/m-p/217454#M435194 aschiebe 2003-11-14T20:06:44Z