Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Cisco Secure ACS 5.2 - Appliance - to use or not to use UCP


I've been doing some research and have found some conflicting articles and discussion on the subject matter.  I think I understand how UCP works.  However, I don't know that I want to implement it.  What bothers me is that I've seen several references that indicate UCP significantly reduces the number of password reset requests that the ACS Administrator will receive.

All users are located in the local identity store.

So - assume I do not implement ACS but I do turn on password expiration after 60 or 90 days.  Will a user whose password is about to expire attempts to authenticate against ACS 5.2, will they be notified that their password is about to expire?

Also, when a user attempts to authenticate but their password expired yesterday, will they be prompted to change it and if so, how will that prompt to change it be presented?

You can probably tell that I am a neophyte on this - certainly not the SME that will ultimately set it up. So if I've left out any details, let me know and we can go from there.  I appreciate any and all responses.

Tom Erickson

301-602-8680 (mobile)

Rising star

Are you using RADIUS or TACACS+


We're using TACAS+ and, in the third paragraph, I meant that to say "So - assume I do not implement UCP ..."



Patch two of ACS 5.2 includes the following fix

CSCtk32168: Add an option to change password when password expires (T+ and Radius)

Once this is installed there is an option in User Authentication Settings (System Administration >  Users > Authentication Settings: Advanced tab) as to what to do when passowrd was not changed in an interval higher than the expiry interval.

There are options available to either disable the account or expire the password (and asked to change password on authentication). In this case I don't think UCP would be a necessity