Solved: Cisco ACS 5.2: How to make "service account" exempt from password lifetime policy

Eric.Wang · ‎03-09-2011

we have a policy on ACS to disable user account (Internal user identify store) after X days if password is not changed.

However, it creates challenges for "service accounts" from NM servers. My goal is to exclude those service accounts from changing password. in other words, their passwords are not required to be updated.

how to configure ACS to do so?

thx

Eric

Dan-Ciprian Cicioiu · ‎03-09-2011

Hi ,

I dont think this is an option.

Dan

View solution in original post

Dan-Ciprian Cicioiu · ‎03-09-2011

Hi ,

I dont think this is an option.

Dan

Eric.Wang · ‎03-15-2011

hi! can anyone provide any solution? or there is no flexibility in ACS

jdwattstc · ‎03-15-2011

Have a look at the Release Information for ACS 5.2.0.26.3 cumulative patch.

Readme for Using Identity User Policy Password

CSCtk32178 ‐ Add an option for pass never expired for specific users

John

Eric.Wang · ‎03-15-2011

does it mean the patch needs to be applied on our ACS?

shobcacslnprd01/admin# show ver

Cisco Application Deployment Engine OS Release: 1.2
ADE-OS Build Version: 1.2.0.182
ADE-OS System Architecture: i386

Copyright (c) 2005-2009 by Cisco Systems, Inc.
All rights reserved.
Hostname: shobcacslnprd01

Version information of installed applications
---------------------------------------------

Cisco ACS VERSION INFORMATION
-----------------------------
Version : 5.2.0.26.1
Internal Build ID : B.3075
Patches :
5-2-0-26-1

jrabinow · ‎03-15-2011

Some more background here (I think this data is captured in the release notes)

The capability is availability on patch 5.2.0.26.2 and onwards

This capability uses a predefined internal user attribute to indicate whether the password for a user expires

The administrator can define a reserved name boolean attribute in order to configure for specific users to never expire their password.

Note, this attribute can be used to override only the "Expire the password" option and not the "Disable user account" in the users authentication global settings.

For enabling this feature:

1) Set the "Users Authentication Settings" to be "expire the password"

2) In : System Administration > Configuration > Dictionaries > Identity > Internal Users add Boolean attribute called ACS

‐RESERVED‐Never‐Expired and set its default value to "false".

3) Set this attribute to true for users which password never expires.

Eric.Wang · ‎03-15-2011

great great info

does it mean

1. I should down this from cisco.com

5-2-0-26-3.tar.gpg
Release Date: 15/FEB/2011
ACS 5.2.0.26.3 cumulative patch.
Size: 68569.44 KB (70215104 bytes)

2. at CLI, use "patch install 5-2-0-26-3.tar.gpg"

3. reload ACS

4. perform patch installation on all ACS in the cluster

5. then ACS GUI will have new field and new setting. The default policy is user password will expire but some users can be set to password never expire

correct? thanks

Eric Wang

jrabinow · ‎03-15-2011

Yes with one clarification.

You need to create the user attribute for "ACS‐RESERVED‐Never‐Expired" yourself using the GUI. It does not get created automatically

Eric.Wang · ‎03-15-2011

thanks. where can I find instruction to create a new attribute?

jrabinow · ‎03-15-2011

Go to System Administration > Configuration > Dictionaries > Identity > Internal Users

Press Create

In this case set "Name" to the required name, "Attribute Type" as "Boolean" and "Default Value" to false

Eric.Wang · ‎03-15-2011

wonderful. I will give a try. thanks a lot!