cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2959
Views
0
Helpful
5
Replies
Jimmi Hvidtfeldt
Beginner

Password "never expire" acs 5.2

Hi Guys

I am struggling with migrating from ACS4.2 to ACS 5.2.

In our 4.2 platform we have a lot of users defined used for authenticating EasyVPN boxes.

However when i am migrating those "users" to acs 5.2 i no longer have the option of setting that their password shouldn't expire.

In the release notes of ACS 5.2 i have read that the have included the option but i can't seem to find it.

Should i build the field myself in dictionaries?

Best regards

Jimmi Hvidtfeldt

1 ACCEPTED SOLUTION

Accepted Solutions

Some more background here (I think this data is captured in the release notes)

The capability is availability on patch 5.2.0.26.2 and onwards

This capability uses a predefined internal user attribute to indicate whether the password for a user expires

The administrator can define a reserved name boolean attribute in order to configure for specific users to never expire their password.

Note, this attribute can be used to override only the "Expire the password" option and not the "Disable user account" in the users authentication global settings.

For enabling this feature:

1) Set the "Users Authentication Settings" to be "expire the password"

2) In : System Administration > Configuration > Dictionaries > Identity > Internal Users add Boolean attribute called ACS-

RESERVEDNeverExpired and set its default value to "false".

3) Set this attribute to true for users whose passwords will never expire

View solution in original post

5 REPLIES 5
jrobnelson
Beginner

Sir:

Under the System Administration > Users > Authentication Settings > Advanced, uncheck the password lifetime settings.  As far as doing this on an individual basis, I have not seen a method either, nor have I experimented with the dictionary.  I will however look into it, as you have me curious

Hey

Thanks for your reply.

I know that i can disable password aging, but that would also meen that my network administrators are not required to change their tacas login.

And i would very much like that to happen.

Also we have some external partners connecting via vpn, which is defined in acs instead of AD.

When i look at the patch levels for ACS5.2 i see the following.

Table 5 Resolved Issues in Cumulative Patch  ACS 5.2.0.26. 2

Bug ID
Description

CSCtk32178

Add an option for pass never expired for specific  users.

However i cannot find documentation anywhere on how to actually accomplish it.

Any help is appreciated.

Thanks for looking in to it.

Some more background here (I think this data is captured in the release notes)

The capability is availability on patch 5.2.0.26.2 and onwards

This capability uses a predefined internal user attribute to indicate whether the password for a user expires

The administrator can define a reserved name boolean attribute in order to configure for specific users to never expire their password.

Note, this attribute can be used to override only the "Expire the password" option and not the "Disable user account" in the users authentication global settings.

For enabling this feature:

1) Set the "Users Authentication Settings" to be "expire the password"

2) In : System Administration > Configuration > Dictionaries > Identity > Internal Users add Boolean attribute called ACS-

RESERVEDNeverExpired and set its default value to "false".

3) Set this attribute to true for users whose passwords will never expire

View solution in original post

Thats great, thanks.

Just what i needed.

For anyone using this (correct) solution. Do take heed and type in the Boolean string name manually.

-> I have spent 3 days looking for inconsistencies etc. then it came to light the above string has incorrect dashes:

'ACS-RESERVEDNeverExpired' -> '‐'

as opposed to required

'ACS-RESERVED-Never-Expired' ->'-'

 

Regards

Content for Community-Ad