CAA Problem

pvanvuuren · ‎11-12-2003

Hi

I am trying to get CiscoSecure Authentication Agent working: Does anyone know whether it can work in my configuration.

ACS 3.2 using Radius

The NAS is a 2611 router (home gateway) running IOS 12.2

The main reason for CAA is to get ACS's Password Ageing functionality.

Thanks

P

aschiebe · ‎11-12-2003

Hi

Depending on the location of your users you may choose CAA/UCP or MSCHAPv2 for Password Aging functionality.

If ACS is authenticating to Active Directory - you need to choose MSCHAPv2.

If ACS is using its internal DB - UCP (User Changeable Password) or CAA (CiscoSecure Authentication Agent) are your choices.

CAA is described thoroughly in http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/secureaa/csaa3b.htm

Ami

pvanvuuren · ‎11-14-2003

Ok, its starting to become a bit clearer to me now.

ACS will not be authenticatin towards AD. We're using the internel ACS user databse. I have tested UCP and it works very well. Even the reporting side of it too. I want to use CAA , but the online documentation is a bit vague.

Can I use RADIUS with CAA?

And are there anything in regards to config that are important to have.

Thanks.

aschiebe · ‎11-14-2003

Hi

CAA is just a method to transfer the messaging (about password aging) from ACS to the client (not related to NAS).

It uses udp port 7500 and it's important the NAS doesn't have any ACLs blocking it.

You need to install CAA on the client , configure password aging rules on the user/group in ACS DB and then when the user reaches the specific rule , a message should pop up on the client alerting the user that its password expires in X days etc...

Radius is the method ACS talks to the NAS and doesn't have anything to do with CAA.

CAA is working when NAS is talking Radius to ACS , ofcourse.

Ami