Re: Auth-Proxy and changing pass at first log in

fdebulois · ‎11-02-2004

I'm running authentication proxy on an IOS firewall. Is it possible to have it interact with ACS 3.2 on windows so that incoming HTTP users are aoffered the possibility to change their password either when it expires or when they log on for the first time (apply password change rule checked in on ACS)

drolemc · ‎11-08-2004

To configure the ACS 3.2 User-Changeable Passwords feature, please refer to the document at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/ucp.htm. Also, I dont see why you feel that the IOS firewall might not work with ACS. I guess that normal commandnecessary to configure AA on a router should be sufficient.

fdebulois · ‎11-08-2004

I feel it might not work because:

1) Imagine I create a new user and give him a password that must be changed at first log in.

2) When the user wants to access my internal HTTP servers his request is intercepted by the Auth-Proxy and he is prompted by a Log-In windows that sends its userID/Password to ACS for authentication.

3) from the tests I've made it is not possible for the user to change his password from the Log-in windows sent by the Auth-Proxy (my IOS firewall). The result is that the user is not able to log in to my internal HTTP servers and is disabled by ACS?

Therefore as you suggested, I must install UCP but have it accessible before the HTTP request reaches by IOS Firewall. This is technically feasible but I'm reluctant to have an HTTP server so "easily" accessible from outside.

But I may have missed something too .....