01-13-2016 07:11 AM - edited 03-10-2019 11:23 PM
The IRS requires all systems that process sensitive personal information, such as social security numbers, to have the passwords protected with many things, one of them being a minimum password age of 1 day being set on all password. I cannot find how to do that with the Cisco ACS 5.7 TACACS+ appliance.
This can be found in IRS Pub 1075, Section 9.3.7.5 Authenticator Management (IA-5)
Any ideas, or is the Cisco product simply unusable for anything that must meet IRS requirements?
01-13-2016 09:14 AM
01-13-2016 09:29 AM
Thanks for the location. Looking there, I do not see any way to set a minimum password age limit. For example, the IRS requires the last 24 passwords to not be used. Someone could change their password 24 times in a row (would take them several minutes) and go back to using the same exact password that had just expired.
With a Minimum Password Age of 1 Day, a person can only change their password once every 24 hours, which would prevent them from doing what I described, above - or at least make the take 24 days to do it.
Do you (or anyone), know of a way to get the ACS Server to enforce such a limitation? To enforce a limit of one password change a day?
01-13-2016 09:40 AM
The only thing it has to set the password expiry days ( as I enter 1) and configure email reminder for the end user. The other option you can avail is to check an option "user must change password on next logon" inside internal user identity store.
- Jatin
01-13-2016 09:44 AM
Thanks, but that setting (with a 1) will mean the password is only good for one day and then they have to change it...which means in a single month a user will need to change their password 28, 30, or 31 times.
I am looking to have them not be allowed to change their password more than 1 time a day, not to have the password good for only one day.
Thanks for replying, though!
01-13-2016 10:11 AM
Then why don't we use a feature "user must change password on next logon". This way they will be able to change their password very first time they login and that's it. Is that not suiting your requirement.
01-13-2016 10:13 AM
What is to stop them from changing the password 5 times back to back?
01-13-2016 10:16 AM
If this is going to be prompted by a device like switch/router then they have no control over it. If they have access to User changeable password link ( UCP) and they remember their previous password then I agree we can't stop them.
So next question is, how you want them to change their password for the first time.
- Jatin
01-13-2016 10:40 AM
Right now they can do either one, but I can limit them to using a router only. How can I prevent them from changing the password two or more times in a single day if I use the router method only?
All the user has to do is SSH / Telnet to a router, enter their username, and hit ENTER instead of typing in their current password and it will prompt them to change their password.
What would prevent them from doing that twice or more times in a row?
01-13-2016 11:19 AM
Cool ! When you create a user account on ACS, please check this option "user must change password". Now when user establish a session on router via telnet / ssh, they will be prompted to change their password ( This would happen just once). The option you checked while creating an account will go off. Hence they will be prompted only once unless you go and check that option again in ACS for a specific user.
- Jatin
01-13-2016 11:36 AM
How does that prevent them from connecting to a router, typing their username, and hitting ENTER instead of typing their password? If they do that, it will prompt them to change their password right then.
This can be done over and over again, two or more times in a single day. The IRS requires a limit that a password can only be changed one time a day and no more.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide