cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1833
Views
0
Helpful
5
Replies

ACS 3.0(1) Password Aging on does not work!!

hgorter
Level 1
Level 1

Dear Members,

We are using a cisco 3620 (IOS V 12.1.(5)T10) with ACS version 3.0(1) for Windows NT/2000. We use the RADIUS protocol and use the Windows 2000 user database to authenticate users.

We want users to change their password once it expired. But with ACS this does not work. The ACS log says that the user must change the password, but the user never gets this message. The result is that the user cannot dial-in because a change password is required.

If we use Steel-Belted Radius in stead of ACS every-thing goes well. And if we use the local ACS database to authenticate users - in stead of the windows 2000 user database - every-thing goes well too.

Does some-one has a solution for this?

Thanks in advance.

Kind regards,

Harry

5 Replies 5

jekrauss
Level 1
Level 1

No, password changing of the external DB is not supported in ACS until MS-CHAPv2.

Here's an excerpt from the 3.0(2) release notes:

"MS CHAP version 2 Support and MS CHAP Password Aging Support—Cisco Secure ACS supports MS CHAP version 2. In addition, we added an MS CHAP-based password-aging feature which works with the Microsoft Dial-Up Networking client, the Cisco VPN client (version 3.0 or greater), and any desktop client that supports MS CHAP. This feature prompts a user to change his or her password after a login where the user password has expired. The MS CHAP-based password-aging feature supports users who authenticate with a Windows user database and is offered in addition to password aging supported by the CiscoSecure user database.

--------------------------------------------------------------------------------

Note Cisco VPN 3000-series Concentrators and Cisco IOS will support MS CHAP password aging in upcoming releases. "

HTH

Jeff

Dear Jeff,

Thanks for your reply. The same is written for the release notes version 3.0(1).

If I understood well - it means that ACS 3.0 does support password aging but Cisco IOS will start support password aging in upcomming releases.

Which upcomming releases? Are these releases already available?? If not available yet, when will they released then?

Can some-one give me the answers please?

Thanks in advance.

Kind regards,

Harry

It is currently supported in 12.2(2)XB6 and "should" (my best guess) be integrated into the next T train release after 12.2.(11)T.'

Keep in mind that Microsoft still has some issues with this feature on Win2k and WinXP, but it has been proven on this image with Win98 for sure. I can't speak for under what conditions the other OS's will or won't work.

HTH

Jeff

Dear Jeff,

Thanks again for your reply.

For my understanding: Does password aging in ACS only work if we use ACS version 3.02 in combination with IOS version 12.2(2)XB6 or greater release than 12.2(11)T?

In other words: Do we need a new IOS version to make password aging in ACS 3.02 work??

I am looking forward to your answer.

Kind regards,

Harry

hgorter
Level 1
Level 1

Dear Members,

It seems that Microsoft has a fix for this problem.

Please look at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q326770

I am going to test it and I hope that it really solve the problem. I let you know.

Kind Regards,

Harry