11-17-2010 09:05 AM - edited 03-10-2019 05:35 PM
Guys I am a bit stumped with this one. I am running ACS 5.1 for device (Router) administration only and using AD for the identity store. My question is when it is time for a user to change there AD password (90 days) and they log into a router can they get a message saying they need to change it?
I opened a TAC ticket about it and they are telling me that is not supported in v5.1, is that true? If not can I get some help on configuring this function.
Thanks
MikeP
11-19-2010 10:31 AM
Actually, it depends on the protocol.
Active Directory password notification uses MS-CHAP protocol. So if your router supports that protocol it will be OK. My guess is that you're using TACACS. I'm not sure if you can configure MS-CHAP in your router along with TACACS.
I have a similar problem when using ASA as VPN Concentrator. Here , ASA uses RADIUS along with MS-CHAP to tell ACS 5.1 about password notifications.
11-19-2010 11:08 AM
So this is more of a Router configuration issue then it is a ACS(TACACS) issue? Do you have any sample config for a router that I can test, or any documentatin that I can look at. I a mnot to familier with how that piece works.
Thanks
11-19-2010 01:59 PM
The name of the feature you're looking for is "password expiry" and uses MS-CHAPv2
That's why the AAA Client (in your case, router), the AAA protocol (I'm guessing you're using TACACS), the AAA server (ACS 5.1), your Active Directory server, all of them must support MS-CHAPv2.
Sadly, I don't know if TACACS+ supports MS-CHAPv2 authentication. I know that Cisco Routers with RADIUS do support MS-CHAPv2 authentication for VPNs, (beginning IOS 12.4(6)T ) but I never tested it. The command is
aaa authentication login
In Cisco ASA also RADIUS supports password-expiry for VPNs. The command is
tunnel-group
password management
By the way, I have a case opened with Cisco TAC about password-expiry between ASA and ACS 5.1, because it seems there's a bug with ACS5.1 supporting MS-CHAPv2 password-expiry. I'll keep you posted about my findings.
01-19-2011 09:12 AM
Sorry guys I got a bit busy and was not able to dig any more into this.
So are you saying that if I use TACACS+ to allow admin access to my Cisco Routers, if I use AD to authenticate there ID's and Passwords (no local ACS accounts) it will not allow me to alert them when there PW is about or has expired?
Everything works perfectly right now using AD to authenticate and map AD groups to a ACS group, but it is not alerting my users when there passords are about to expire. So there accounts can get locked up if they dont change them.
Thoughts?
Mike
01-20-2011 12:53 PM
I'm attempting the same thing, albeit a tiny bit differently..
I have an ASA supporting a VPN, and ACS 5.2 support TACACS, and RADIUS Authentications.
When a user is in "user must change password on next login" mode, the Login Prompt on the ASA just states that the "login failed". It doesn't prompt the user properly to change their password.
In ACS RADIUS Authentication Logs, I see the error message "24203 User need to change password" which is good, but the ASA is not understanding the reply from the ACS.
I also have a TAC Case open for this issue. Obviously it will be a bit different than ASA -> ACS -> AD.. but it might be the same principle with the password-expiry command.
Please update this thread if you've found an update.
Thanks
01-21-2011 09:21 AM
I will definetly keep you in the loop, but TAC is telling me there is no way. Find it hard to believe this was not thougth of when 5.x was created and able to connect to AD for auth. I am just using tacacs for admin access to Routers, Switches and ASA's, no VPN access.
Mike
01-21-2011 09:26 AM
I actually heard back from TAC..
With my config, there isn't a way to do it..
I currently have users Authenticate to the VPN using RSA.. so the sequence goes ASA -> ACS -> RSA (if user not found fall back to ACS Internal User) -> ACS..
During the process of the tunnel from ACS -> RSA, the MSChap v2 is stripped, and the ASA never gets the password change request back to the ASA initiating the connection.
I could make this work by solely using ACS for authentication, but that's not how we want things to work here.
However, to make it work with ACS, there is a command I put into the Tunnel-group area called "password-management". I'm not sure if you can apply that to other parts of the config for device authentication or not,.. and I'm not sure if you can tie that in to AD authentication either.
Anyways, that's what I've found.
01-21-2011 02:02 PM
Hello Mike. could you tell your case number ? I have a similar case opened.
01-21-2011 03:10 PM
Sure can, the case number is: 616060259. I was working with TAC at the end of last year, I was just able to pick back up on this, that is why I figured I would try these forums next.
Let me know if find out anything.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: