03-09-2011 07:17 AM - edited 03-10-2019 05:53 PM
we have a policy on ACS to disable user account (Internal user identify store) after X days if password is not changed.
However, it creates challenges for "service accounts" from NM servers. My goal is to exclude those service accounts from changing password. in other words, their passwords are not required to be updated.
how to configure ACS to do so?
thx
Eric
Solved! Go to Solution.
03-09-2011 09:51 AM
03-09-2011 09:51 AM
Hi ,
I dont think this is an option.
Dan
03-15-2011 07:10 AM
hi! can anyone provide any solution? or there is no flexibility in ACS
03-15-2011 08:01 AM
Have a look at the Release Information for ACS 5.2.0.26.3 cumulative patch.
Readme for Using Identity User Policy Password
CSCtk32178 ‐ Add an option for pass never expired for specific users
John
03-15-2011 08:09 AM
does it mean the patch needs to be applied on our ACS?
shobcacslnprd01/admin# show ver
Cisco Application Deployment Engine OS Release: 1.2
ADE-OS Build Version: 1.2.0.182
ADE-OS System Architecture: i386
Copyright (c) 2005-2009 by Cisco Systems, Inc.
All rights reserved.
Hostname: shobcacslnprd01
Version information of installed applications
---------------------------------------------
Cisco ACS VERSION INFORMATION
-----------------------------
Version : 5.2.0.26.1
Internal Build ID : B.3075
Patches :
5-2-0-26-1
03-15-2011 08:16 AM
Some more background here (I think this data is captured in the release notes)
The capability is availability on patch 5.2.0.26.2 and onwards
This capability uses a predefined internal user attribute to indicate whether the password for a user expires
The administrator can define a reserved name boolean attribute in order to configure for specific users to never expire their password.
Note, this attribute can be used to override only the "Expire the password" option and not the "Disable user account" in the users authentication global settings.
For enabling this feature:
1) Set the "Users Authentication Settings" to be "expire the password"
2) In : System Administration > Configuration > Dictionaries > Identity > Internal Users add Boolean attribute called ACS
‐RESERVED‐Never‐Expired and set its default value to "false".
3) Set this attribute to true for users which password never expires.
03-15-2011 08:24 AM
great great info
does it mean
1. I should down this from cisco.com
5-2-0-26-3.tar.gpg | |
Release Date: 15/FEB/2011 | |
ACS 5.2.0.26.3 cumulative patch. | |
Size: 68569.44 KB (70215104 bytes) |
2. at CLI, use "patch install 5-2-0-26-3.tar.gpg"
3. reload ACS
4. perform patch installation on all ACS in the cluster
5. then ACS GUI will have new field and new setting. The default policy is user password will expire but some users can be set to password never expire
correct? thanks
Eric Wang
03-15-2011 08:29 AM
Yes with one clarification.
You need to create the user attribute for "ACS‐RESERVED‐Never‐Expired" yourself using the GUI. It does not get created automatically
03-15-2011 08:34 AM
thanks. where can I find instruction to create a new attribute?
03-15-2011 08:40 AM
Go to System Administration > Configuration > Dictionaries > Identity > Internal Users
Press Create
In this case set "Name" to the required name, "Attribute Type" as "Boolean" and "Default Value" to false
03-15-2011 08:46 AM
wonderful. I will give a try. thanks a lot!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide