05-11-2012 02:04 AM - edited 03-10-2019 07:05 PM
Hi,
today we had an issue with our ACS 5.2.0.26.8. For some 802.1x Accounts i have configured ACS–RESERVED–Never–Expired=True but today all of them were set to expired as i could see in the ACS Instance Logfile. Blocking Reason=PASSWORD_EXPIRED.
Any hints on that?
Regards, Andreas
05-13-2012 11:21 PM
Hi Andreas
What type of EAP authentication are you using?
Can you please send me screen shots from Users --> Authentication Settings
Screen shot from the Access Service where the EAP protocols detailed are viewed?
Sample screen shot from the settings of internal user?
Regards
05-15-2012 02:37 AM
Hi maldehne
we have the same problem, I used it for TACACS+ Authentication, here you find the "allowed protocols" for our access service.
Do I need to enable MSCHAPv2 for ACS-RESERVED-Never-Expired to work?
Best regards
Dominic
05-15-2012 04:23 AM
Hello Dominic
Please try to redefine the attribute again by manually entering the attribute, sometimes copy and paste might cause replacement of '-' with space. I have seen that in one case before.
Also do you have any policy condition mapped to the attribute , if so try to disable it and let me know how it goes.
Regards
05-15-2012 04:38 AM
Hi maldehne
thanks for your fast feedback. Indeed, when I entered the attribute manuelly, the dropdown (with previous entered values) of the browser disapeared after the ACS-, so there was a copy/paste problem.
BUT this did not solve the problem yet, I still get the following login prompt:
username: test2
password:
Enter new password:
Below you see some more configuration details. We use ACS 5.3.0.40.
Thanks a lot and best regards
Dominic
05-15-2012 02:36 PM
Please make sure that your setup has been done according to th following:
STEP 1:
To make internal user accounts never expire, Go to System Administration >
Users > Authentication Settings:
. Select the "Advanced" tab and select "Never" under "Account
Disable".
If you want to notify users for password expiry then under the "Advanced"
tab:
. Select "Display Reminder after n days" under "Password Lifetime"
("n" can be days from 1 to 365)
STEP 2:
1) System Administration > Configuration > Dictionaries > Identity >
Internal Users add Boolean attribute with name "ACS-RESERVED-Never-Expired"
and set it to false.
2) Go to the user you don't want the password to expire and set the
"ACS-RESERVED-Never-Expired" this field to be true, do the same for each
account that you do not want the password to expire
05-15-2012 03:31 PM
Great, I did not know, that the default value has to be FALSE in anyway, I thought I can use TRUE OR FALSE, but it is definitely only FALSE.
Thanks a lot and best regards (5 points to go... ;-)
Dominic
05-15-2012 11:22 PM
BTW Dominic please make sure to flag the thread as solved.
05-15-2012 11:34 PM
I would like, but because it is not MY discussion, I can not mark your great answer as the correct one!
Sorry for that.
Best regards
Dominic
09-28-2012 01:25 AM
Before, authentication failed because of "password expired".
But now I am struggling with an another issue. The password now will not expire, but authentications failed because of the following reason "24203 User need to change password".
cant believe that...
I have to say this: ACS 5 is a really epic fail with these user specific parameters. i cant migrate my 802.1x users, my vpn users and my technical users (i.e. for cisco works). all because of this password expire "thing".
Looks like i really have to buy 2 acs systems. one with tacacs config for device administration and password expiration and one with radius config for network access without password expiration :-/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide