6-21
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 6 Setting Up and Managing User Groups
Configuration-specific User Group Settings
Also, to run password aging for transit sessions, the AAA client can be
running either RADIUS or TACACS+; and the AAA client must be using
Cisco IOS Release 11.2.7 or later and be configured to send a watchdog
accounting packet (aaa accounting new-info update) with the IP address of
the calling station. (Watchdog packets are interim packets sent periodically
during a session. They provide an approximate session length in the event that
the AAA client fails and, thereby, no stop packet is received to mark the end
of the session.)
You can control whether Cisco Secure ACS propagates passwords changed
by this feature. For more information, see Local Password Management,
page 8-5.
Cisco Secure ACS supports password aging using the RADIUS protocol under
MS CHAP versions 1 and 2. Cisco Secure ACS does not support password aging
over Telnet connections using the RADIUS protocol.
Caution If a user with a RADIUS connection tries to make a Telnet connection to the AAA
client during or after the password aging warning or grace period, the change
password option does not appear, and the user account is expired.
Password Aging Feature Settings
This section details only the Password Aging for Device-hosted Sessions and
Password Aging for Transit Sessions mechanisms. For information on the
Windows NT/2000 Password Aging mechanism, and the Windows 2000 DUN
client, see Enabling Password Aging for Users in Windows Databases, page 6-25.
For information on configuring local password validation options, see Local
Password Management, page 8-5.
The password aging feature in Cisco Secure ACS has the following major and
minor options:
• Apply age-by-date rules—Selecting this check box configures
Cisco Secure ACS to determine password aging by date. The age-by-date
rules contain the following settings:
–
Active period—The number of days users will be allowed to log in
before being prompted to change their passwords. For example, if you
enter 20, users can use their passwords for 20 days without being
prompted to change them. The default Active period is 20 days.
To Next Page
Loading...
