Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1539
Views
4
Helpful
4
Replies

Password Aging & Account Lockout in ACS 4.2

yusuf.ujjainwala
Level 1
Level 1

‎01-07-2011 09:41 PM - edited ‎03-10-2019 05:42 PM

I have a requirement that in ACS the  user accounts should get disabled after 1 day , so in the group setting under the Password Aging Field I configured the same as 1 day , the Grace & Warning Period is 0 days

I want that all these user accounts would be active for 30 days , and the moment the account is used (i.e the Start Message appears in the Radius Accounting ) then after 1 day  from the usage then as per the Password Aging Rule the account should get expired.

Now my query is this password aging rule will start from the day I create the account in the ACS or from the day the user logs in.

I don’t want to use the Account Lockout Tab as I don’t know when the guest account would be used.

Request someone to help pls clarify my doubt.

Regards

Labels:
0 Helpful
4 Replies 4

andamani
Cisco Employee
Cisco Employee

‎01-07-2011 11:10 PM

Hi Yusuf,

Password Aging on ACS will just prompt to change the password. it will not disable the account.

The Account is present on the AD. So the Disabling and lockout features for an account will come from the AD.

I don't think a change in password for a guest account is what you would want to do.

Also according to me disabling the account should be a feature only for the AD admin and not open. A lockout can definately happen but that also has to be defined on the AD.

The link to password Aging on ACS is as follows:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp525115

Hope this helps.

Regards,

Anisha

P.S.: please mark this string as answered if you feel the query is answered.

0 Helpful

yusuf.ujjainwala
Level 1
Level 1
In response to andamani

‎01-07-2011 11:29 PM

Hi Anisha

Thanks for the reply.

You are correct that we dont want the guest to change the password. Our idea is that we will create generic accounts whose account validity would be say for 30 days.  Now within the 30 days whenever the account is used then if the Password Aging Parameter is set as 1 day then after 1 day of usage the password would get expired and  we know for sure that the guest would not be able to use the account even though it is active.

We are not creating any accounts on the AD , all the accounts are on the local ACS internal database.

I am not clear if the requirement can be met through the Password Aging Parameter.

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to yusuf.ujjainwala

‎01-07-2011 11:44 PM

Hi Yusuf,

Password aging is used when the users are present in AD.

i guess to restrict the access of the account on the local database of the ACS, one can try the combinations of set max sessions, user usage quotas and user account disablement.

I have never tried it. I am not sure if that will work, but i guess it is worth a try.

The link which explains the following is as following:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrMgt.html#wp273024

Regards,

Anisha.

P.S.: please mark this thread as answered if you think your query is answered.

yusuf.ujjainwala
Level 1
Level 1
In response to andamani

‎01-08-2011 12:24 AM

I will go with your suggestion of the Usage Policy etc

Thanks very much

0 Helpful
Customers Also Viewed These Support Documents