08-26-2011 12:24 PM - edited 03-10-2019 06:20 PM
hi, I have configured under Administration password policies about password lenght, items to be putted as number, letters and so on.
on the second tab is the password expire for users and I configured to expire after 90 days.
I even tried creating a new user and changing a password from an existing user using Apache TOMCAT WAR
I have checked CLOCK of ACS appliance and setted up NTP on our internal NTP servers
even I create a new user or I change the password via Admin GUI or I change the user password via Apache TOMCAT WAR, I have the user being disabled in a few of minutes, half an hour.
As last, with CISCO AnyConnect is possible to warn the user about the password being expireing and if so, the change could be driven via AnyConnect or is absolutely needed a User Hand Task on the Apache TOMCAT portal I setted up with the ACS WAR application?
As last last, can't I disable the logon on the ASA 5510 8.3 IOS AVOIDING the user to connect via download (from the ASA portal) of the AnyConnect application?. This is nice to avoid people to connect from Internet Cafe' and other puglic facilities not already having the AnyConnect application installed from a local DISK or USB device?
Solved! Go to Solution.
08-27-2011 10:31 PM
I think you are hitting a known issue with ACS 5.1:
CSCtf06311: All internal users disabled automatically after logging in a single user
This is resolved in a patch for ACS 5.1. Cumulative patch 5.1.0.44.3 that can be downloaded from CCO
If you decide to download a patch version it may be worth taking the latest cumulative patch for ACS 5.1: 5.1.0.44.6
08-26-2011 12:30 PM
FORGOT TO SAY:
I use ACS 5.1 Internal Store User Database! I do not point to any LDAP or MS AD or other external User Database store.
08-27-2011 10:31 PM
I think you are hitting a known issue with ACS 5.1:
CSCtf06311: All internal users disabled automatically after logging in a single user
This is resolved in a patch for ACS 5.1. Cumulative patch 5.1.0.44.3 that can be downloaded from CCO
If you decide to download a patch version it may be worth taking the latest cumulative patch for ACS 5.1: 5.1.0.44.6
08-31-2011 03:08 AM
I'll try, by now I can't evaluate till tried the patch!. How I have to proceed to apply it?
08-31-2011 06:55 AM
To install a patch define a repository on ACS (cumulative patches are larger than 32MB so you can't use TFTP for this), copy the patch file to the repository, then on ACS' CLI:
# acs patch install
09-21-2011 08:11 AM
Hi, we have just installed latest patch level for 5.1 so now it is 44.6 (as ending digits)
I have enabled the password expire and by now seems to work fine. I don't have any user being disabled.
I don't know if when 90 days will pass, users will be correctly be disabled as rules say.
By now I'm starting a new enviroment and by now I don't have any user with a password too old so to expire but I have one with around 30 days! possible I'll conduct a test lowering down password expiry to 30 days so to test.
thanks by now.
a question! to know when and how to have a user account DISABLED with too much BAD PASSWORD tries I'll have to open a new request or you can answer now here to this new item?. Is strange for CISCO to have redeveloped ACS from 4 to 5 without password aging and usr disablying due to too much bad password issues.
here in EU is a LAW need! so for us is a big trouble. Please help us.
09-21-2011 09:03 AM
ACS 5.3 will contain the following feature. ACS 5.3 is scheduled fo release in October
Internal Users can be disabled based on
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide