Re: VPN authentication using ACS 3.1(1) db

zabbas · ‎07-21-2003

Is it possible using ACS to not only allow users using a Cisco VPN Client the ability to authenticate to a VPN 3000 concentrator, but also the ability to change their password ?

We are currenlty using a Win2000 domain via the ACS box to authenticate users, we would like to remove the domain from the current setup and just use ACS. The problem we encountered with earlier versions of ACS was once a user id/pass was setup, the user had no ability to change their password (using the cisco client) when logging into vpn for the first time, or the ability to expire a user password after 6 months and then prompt them for a new one. We don't want to have to give users a utility to install to do this.

Is this functionality available in ACS 3.1(1) ?

gfullage · ‎07-21-2003

This is more a function of the VPN client and the VPN concentrator, cause it has to detect the password has expired and prompt the user.

This feature has been in the VPN concentrator and client since 3.5 code, see http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/3_5/config/usermgt.htm#1177790 and http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/3_5/3kcon_rn.pdf for details, but basically select the "Radius with Expiry" option under the IPSec tab in the group parameters.

The Radius server has to support MSCHAPv2, which ACS v3.1(1) does. You also have to continue to use the NT database with it, this doesn't work when the usernames are stored on the local ACS database.