Solved: ACS 5.1 User password expire not working

albertocolosi · ‎08-26-2011

hi, I have configured under Administration password policies about password lenght, items to be putted as number, letters and so on.

on the second tab is the password expire for users and I configured to expire after 90 days.

I even tried creating a new user and changing a password from an existing user using Apache TOMCAT WAR

I have checked CLOCK of ACS appliance and setted up NTP on our internal NTP servers

even I create a new user or I change the password via Admin GUI or I change the user password via Apache TOMCAT WAR, I have the user being disabled in a few of minutes, half an hour.

As last, with CISCO AnyConnect is possible to warn the user about the password being expireing and if so, the change could be driven via AnyConnect or is absolutely needed a User Hand Task on the Apache TOMCAT portal I setted up with the ACS WAR application?

As last last, can't I disable the logon on the ASA 5510 8.3 IOS AVOIDING the user to connect via download (from the ASA portal) of the AnyConnect application?. This is nice to avoid people to connect from Internet Cafe' and other puglic facilities not already having the AnyConnect application installed from a local DISK or USB device?

jrabinow · ‎08-27-2011

I think you are hitting a known issue with ACS 5.1:

CSCtf06311: All internal users disabled automatically after logging in a single user

This is resolved in a patch for ACS 5.1. Cumulative patch 5.1.0.44.3 that can be downloaded from CCO

If you decide to download a patch version it may be worth taking the latest cumulative patch for ACS 5.1: 5.1.0.44.6

View solution in original post

albertocolosi · ‎08-26-2011

FORGOT TO SAY:

I use ACS 5.1 Internal Store User Database! I do not point to any LDAP or MS AD or other external User Database store.

jrabinow · ‎08-27-2011

I think you are hitting a known issue with ACS 5.1:

CSCtf06311: All internal users disabled automatically after logging in a single user

This is resolved in a patch for ACS 5.1. Cumulative patch 5.1.0.44.3 that can be downloaded from CCO

If you decide to download a patch version it may be worth taking the latest cumulative patch for ACS 5.1: 5.1.0.44.6

albertocolosi · ‎08-31-2011

I'll try, by now I can't evaluate till tried the patch!. How I have to proceed to apply it?

Javier Henderson · ‎08-31-2011

To install a patch define a repository on ACS (cumulative patches are larger than 32MB so you can't use TFTP for this), copy the patch file to the repository, then on ACS' CLI:

# acs patch install repository

albertocolosi · ‎09-21-2011

Hi, we have just installed latest patch level for 5.1 so now it is 44.6 (as ending digits)

I have enabled the password expire and by now seems to work fine. I don't have any user being disabled.

I don't know if when 90 days will pass, users will be correctly be disabled as rules say.

By now I'm starting a new enviroment and by now I don't have any user with a password too old so to expire but I have one with around 30 days! possible I'll conduct a test lowering down password expiry to 30 days so to test.

thanks by now.

a question! to know when and how to have a user account DISABLED with too much BAD PASSWORD tries I'll have to open a new request or you can answer now here to this new item?. Is strange for CISCO to have redeveloped ACS from 4 to 5 without password aging and usr disablying due to too much bad password issues.

here in EU is a LAW need! so for us is a big trouble. Please help us.

jrabinow · ‎09-21-2011

ACS 5.3 will contain the following feature. ACS 5.3 is scheduled fo release in October

Internal Users can be disabled based on

The particular date
The number of days from the last enabled date
The number of failed attempts count