AD user password changing with ACS 5.0

yameogo978 · ‎10-12-2011

Hi,

I use ACS appliance 1120 for cisco devices administration. The identity store is external. I use Active directory.

Actually, Authentication, authorization and accounting work well but users can not change theirs Active directory password when they have expired.

Do you now how to configure ACS to permit password changing?

Thanks

Moïse YAMEOGO

jrabinow · ‎10-12-2011

This capability is available I think in ACS 5.1 and onwards. You would need to download rhe version from CCO and upgrade. Note if you install 5.1 I would recommend to install the latest cummulative patch for ACS 5.1 as well: 5.1.0.44.6

Note that ACS product line is now up to ACS 5.3

yameogo978 · ‎10-12-2011

Hi, Thanks for your response.

I think that this capability is also available in ACS 5.0. In the ACS user guide, it noted that " Changing the password for EAP-FAST and PEAP with inner MSCHAPv2 is also supported.

I use TACACS+ as AAA protocol. May be there is configuration to do in ACS or device?

Thanks

jrabinow · ‎10-12-2011

Right the flow is there but I think specifically support for change password on AD is only in 5.1

Can check by going to

Users and Identity Stores > External Identity Stores > Active Directory

and see if have flag "Allow password change"

yameogo978 · ‎10-12-2011

Yes, there is a flag on "allow password change", but it does not work.

is there no other configuration is done on equipment or on the acs?

Thanks

jrabinow · ‎10-21-2011

Sorry for going dark on you

I am pretty sure that you will find this working in ACS 5.1 and onwards but haven't yet managed to dig out any history/CDETS to confirm the change that was made in ACS 5.1

My recommendation remains to:

" install 5.1 I would recommend to install the latest cummulative patch for ACS 5.1 as well: 5.1.0.44.6"