01-14-2013 03:23 PM - edited 03-10-2019 07:58 PM
1) Would someone be so kind to post a screenshot of secureacs 5.4 user properties showing the per-user expiration/account lock policy that is now available to be overridding at a per-user level?
2) Is there a way yet in 5.4 to set a password to never expire for a service account?
01-14-2013 03:29 PM
For question 2) can do the following
It is enabled by creating attributes for internal users
This functionality is enabled as follows:
- In : System Administration > Configuration > Dictionaries > Identity > Internal Users add Boolean attribute ACS‐RESERVED‐Never‐Expired and set its default value to "false".
- Set this user attribute to be true in the internal user definitions of those users whose password should never expire.
01-14-2013 03:37 PM
I've previously tried this without success:
Screenshots:
The account still expires for not changing the password every "x" days.
Do any of the new per-user security options in 5.4 address this is a more clean manner? However, I'd certainly like to get this working too.
03-04-2013 02:50 PM
I have the same issue, settings match Paul's screen shots however service account passwords are still expiring. Any sugestions would be apreciated.
Thanks.
03-11-2013 02:25 AM
I was able to recreate the issue you described on my ACS 5.4 system and also saw users still expiring.
I have reported the issue and will update when get confirmation of any analysis on this issue
03-18-2013 02:49 PM
We are running ACS version 5.4.0.46.0a, I had a TAC case open for another issue and asked the engineer about this and they mentioned that they thought the issue should be resolved in the latest patch. I setup ACS in a lab to test this just have not gotten around to it yet but if you are running the latest build and still having the issue it will save me some time.
Let me know what build you are running that is still having this issue.
Thanks.
03-18-2013 02:53 PM
It is not yet resolved in latest patch for ACS 5.4 (patch 2)
Target is for patch 3; do not have any ETA yet
Following is the CDETS to be tracked:
CSCue30822 Password expiration with Boolean
04-07-2013 12:06 AM
I have dug in some more here.
Currently the user will not expire if the following setting is selected
System Administration > Users > Authentication Settings
Disable user account | |||
Expire the password |
Option to expire the password must be selected. Then users with the attribute set to true wil never expire and other users will have the passwords expire after this interval and will be forced to change password on next login providing that use a protocol that supports change password. Otherwise authentication will fail with
Authentication failed :
05-17-2013 05:37 AM
The issue has been resolved in ACS 5.4 patch 3. With following fix
CSCuf16197 ACS-RESERVED-Never-Expired does not prevent user account from expiring
Now irrespective of whether select the "Expire the password" or "Disable user account" neither of these options will take effect if the ACS-RESERVED-Never-Expired attribute is set to tru
An additional fix of interest in this patch may be
CSCuc58345 Even with ACS-RESERVED-Never-Expired ACS counts down days until expiry
08-19-2013 09:53 AM
Is this to suggest that the configuration based on the screenshots I provided above should prevent account expiration with the patch? If yes, something is still not working correctly. Has anyone else got this to work?
09-23-2013 02:40 PM
Back to top. Problem still exists.
11-25-2013 08:59 AM
I'm still having this problem. BTT.
11-25-2013 12:45 PM
We have not seen others hitting this problem and without further details I can't really help assess further
Note that ACS 5.5 was posted today and includes the following enhancement:
CSCty77259: ACS 5 global password policy for local user should have per user ignore
11-26-2013 03:04 PM
Is there any additional information I can provide which will assist you? I am running 5.4.0.46.4.
The screenshots in the top of this thread are mine.
If you're suggesting 5.5 has a "disable password policy for user entirely" style knob this may work in lieu of disabling password expiration enforcement per user. However, I do not know if I will have the ability to upgrade to 5.5 right now.
12-22-2013 05:47 PM
This just happened again. I tried completely deleting the account and re-creating it, with no further success. It's a service account and predictable, it starts to fail to funciton when it's password expires because it can't be succesfully overridden from general policy.
I am still not able to access that bug as it is not Cisco customer visible.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide