Support User Manuals

Cisco Systems 3.3 Server User Manual

Open as PDF

of 860

6-21

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 6 User Group Management

Configuration-specific User Group Settings

Enabling Password Aging for the CiscoSecure User Database

The password aging feature of Cisco Secure ACS enables you to force users to

change their passwords under one or more of the following conditions:

• After a specified number of days (age-by-date rules).

• After a specified number of logins (age-by-uses rules).

• The first time a new user logs in (password change rule).

Varieties of Password Aging Supported by Cisco Secure ACS

Cisco Secure ACS supports four distinct password aging mechanisms:

• PEAP and EAP-FAST Windows Password Aging—Users must be in the

Windows user database and be using a Microsoft client that supports EAP,

such as Windows XP. For information on the requirements and configuration

of this password aging mechanism, see Enabling Password Aging for Users

in Windows Databases, page 6-26.

• RADIUS-based Windows Password Aging—Users must be in the Windows

user database and be using the Windows Dial-up Networking (DUN) client.

For information on the requirements and configuration of this password aging

mechanism, see Enabling Password Aging for Users in Windows Databases,

page 6-26.

• Password Aging for Device-hosted Sessions—Users must be in the

CiscoSecure user database, the AAA client must be running TACACS+, and

the connection must use Telnet. You can control the ability of users to change

passwords during a device-hosted Telnet session. You can also control

whether Cisco Secure ACS propagates passwords changed by this feature.

For more information, see Local Password Management, page 8-5.

• Password Aging for Transit Sessions—Users must be in the CiscoSecure

user database. Users must use a PPP dialup client. Further, the end-user client

must have CiscoSecure Authentication Agent (CAA) installed.

Tip The CAA software is available at http://www.cisco.com.

Also, to run password aging for transit sessions, the AAA client can be

running either RADIUS or TACACS+; and the AAA client must be using

Cisco IOS Release 11.2.7 or later and be configured to send a watchdog

accounting packet (aaa accounting new-info update) with the IP address of

previous next