cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2051
Views
20
Helpful
9
Replies
Beginner

ACS5.1 and AD - Password Change Notification

Guys I am a bit stumped with this one.  I am running ACS 5.1 for device (Router) administration only and using AD for the identity store.  My question is when it is time for a user to change there AD password (90 days) and they log into a router can they get a message saying they need to change it?

I opened a TAC ticket about it and they are telling me that is not supported in v5.1, is that true?  If not can I get some help on configuring this function.

Thanks

MikeP

9 REPLIES 9
Enthusiast

Re: ACS5.1 and AD - Password Change Notification

Actually, it depends on the protocol.

Active Directory password notification uses MS-CHAP protocol. So if your router supports that protocol it will be OK. My guess is that you're using TACACS. I'm not sure if you can configure MS-CHAP in your router along with TACACS.

I have a similar problem when using ASA as VPN Concentrator. Here , ASA uses RADIUS along with MS-CHAP to tell ACS 5.1 about password notifications.

Beginner

Re: ACS5.1 and AD - Password Change Notification

So this is more of a Router configuration issue then it is a ACS(TACACS) issue?  Do you have any sample config for a router that I can test, or any documentatin that I can look at.  I a mnot to familier with how that piece works.

Thanks

Enthusiast

Re: ACS5.1 and AD - Password Change Notification

The name of the feature you're looking for is "password expiry" and uses MS-CHAPv2

That's why the AAA Client (in your case, router), the AAA protocol (I'm guessing you're using TACACS), the AAA server (ACS 5.1), your Active Directory server, all of them must support MS-CHAPv2.

Sadly, I don't know if TACACS+ supports MS-CHAPv2 authentication. I know that Cisco Routers with RADIUS do support MS-CHAPv2 authentication for VPNs, (beginning IOS 12.4(6)T ) but I never tested it. The command is

aaa authentication login passwd-expiry group radius

In Cisco ASA also RADIUS supports password-expiry for VPNs. The command is

tunnel-group general-attributes

  password management

By the way, I have a case opened with Cisco TAC about password-expiry between ASA and ACS 5.1, because it seems there's a bug with ACS5.1 supporting MS-CHAPv2 password-expiry. I'll keep you posted about my findings.

Beginner

Re: ACS5.1 and AD - Password Change Notification

Sorry guys I got a bit busy and was not able to dig any more into this.

So are you saying that if I use TACACS+ to allow admin access to my Cisco Routers, if I use AD to authenticate there ID's and Passwords (no local ACS accounts) it will not allow me to alert them when there PW is about or has expired?

Everything works perfectly right now using AD to authenticate and map AD groups to a ACS group, but it is not alerting my users when there passords are about to expire.  So there accounts can get locked up if they dont change them.

Thoughts?

Mike

Beginner

Re: ACS5.1 and AD - Password Change Notification

I'm attempting the same thing, albeit a tiny bit differently..

I have an ASA supporting a VPN, and ACS 5.2 support TACACS, and RADIUS Authentications.

When a user is in "user must change password on next login" mode, the Login Prompt on the ASA just states that the "login failed".  It doesn't prompt the user properly to change their password.

In ACS RADIUS Authentication Logs, I see the error message "24203 User need to change password" which is good, but the ASA is not understanding the reply from the ACS.

I also have a TAC Case open for this issue.  Obviously it will be a bit different than ASA -> ACS -> AD..   but it might be the same principle with the password-expiry command.

Please update this thread if you've found an update.

Thanks

Beginner

Re: ACS5.1 and AD - Password Change Notification

I will definetly keep you in the loop, but TAC is telling me there is no way.  Find it hard to believe this was not thougth of when 5.x was created and able to connect to AD for auth.  I am just using tacacs for admin access to Routers, Switches and ASA's, no VPN access.

Mike

Beginner

Re: ACS5.1 and AD - Password Change Notification

I actually heard back from TAC..

With my config, there isn't a way to do it..  

I currently have users Authenticate to the VPN using RSA..   so the sequence goes  ASA -> ACS -> RSA (if user not found fall back to ACS Internal User) -> ACS..

During the process of the tunnel from ACS -> RSA, the MSChap v2 is stripped, and the ASA never gets the password change request back to the ASA initiating the connection.

I could make this work by solely using ACS for authentication, but that's not how we want things to work here.

However, to make it work with ACS, there is a command I put into the Tunnel-group area called "password-management".  I'm not sure if you can apply that to other parts of the config for device authentication or not,..  and I'm not sure if you can tie that in to AD authentication either.

Anyways, that's what I've found.

Enthusiast

Re: ACS5.1 and AD - Password Change Notification

Hello Mike. could you tell your case number ? I have a similar case opened.

Highlighted
Beginner

Re: ACS5.1 and AD - Password Change Notification

Sure can, the case number is: 616060259.  I was working with TAC at the end of last year, I was just able to pick back up on this, that is why I figured I would try these forums next.

Let me know if find out anything.