Solved: Question about ACS 5.1 and user account expiration

raga.fusionet · ‎06-23-2011

Hi All,

Is there a setting on ACS 5.1 where you can configure the user account's expiration? Speaking of users locally configured on the ACS.

If not, can you accomplish this with an external db such as MS AD? How ?

We are looking for a way to manage our guest's hotspot so what we can create temporary users without having to purchase any aditional hardware/software.

Thanks in advance,

Raga

Tarik Admani · ‎06-23-2011

Raga,

Here is the answer to your first questions -

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/release/notes/acs_51_rn.html#wp122068

As far as being able to do this in AD it is possible you can look at the following documentation which shows how to configure AD attributes, I have helped a customer retrieve the lockouttime attribute in his AD environment, I dont think this attribute is present in the 2003 DC because I was unable to replicate this attribute.

Another step would be to use useraccountcontrol -

http://support.microsoft.com/kb/305144 - if set a simple condition that if this value is 512 you can permit access, when you lock the account it will add the status of disable to the type of account if it is 512 (Normal_Account) it will equal 514. The most secure is to see what value you have for the guest account by retrieving the attribute after you create the account, create a condition that matches this account.

Let me know if this helps!

Tarik

View solution in original post

Tarik Admani · ‎06-23-2011

Raga,

Here is the answer to your first questions -

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/release/notes/acs_51_rn.html#wp122068

As far as being able to do this in AD it is possible you can look at the following documentation which shows how to configure AD attributes, I have helped a customer retrieve the lockouttime attribute in his AD environment, I dont think this attribute is present in the 2003 DC because I was unable to replicate this attribute.

Another step would be to use useraccountcontrol -

http://support.microsoft.com/kb/305144 - if set a simple condition that if this value is 512 you can permit access, when you lock the account it will add the status of disable to the type of account if it is 512 (Normal_Account) it will equal 514. The most secure is to see what value you have for the guest account by retrieving the attribute after you create the account, create a condition that matches this account.

Let me know if this helps!

Tarik

raga.fusionet · ‎06-23-2011

Tarik,

Thanks for you response, however from what I understood from your docs, both options in AD require some admin intervention to disable the account after an "x" period of time. I'd like to be able to create a user, lets say temp_user which would be valid for lets say two hours (or the next two hours) and forget about it knowing that the account would be automatically disabled after x hours have passed.

having to create the user and go and disable it (lockit) after x hours doesnt sound manageble for a large deployment.

Thanks again.

Raga

ajc · ‎06-11-2015

Hi Tarik,

If you do not mind, could you give an idea how to configure acs using the attribute useraccountcontrol for allowing or not access. I was wondering if this can be achieved using SHELL PROFILE.

thanks in advance for any orientation. I am not an ACS expert but I will give a try by myself.

AC