Support User Manuals

Cisco Systems 3.3 Server User Manual

Open as PDF

of 860

Chapter6 User Group Management

Configuration-specific User Group Settings

6-24

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

requesting them to change their passwords on their 11th and 12th login

attempts. On the 13th login attempt, they receive a prompt telling them

that they must change their passwords. If users do not change their

passwords now, their accounts expire and they cannot log in. This

number must be greater than the Issue warning after x login number.

Tip To allow users to log in an unlimited number of times without changing their

passwords, type -1.

• Apply password change rule—Selecting this check box forces new users to

change their passwords the first time they log in.

• Generate greetings for successful logins—Selecting this check box enables

a Greetings message to display whenever users log in successfully via the

CAA client. The message contains up-to-date password information specific

to this user account.

The password aging rules are not mutually exclusive; a rule is applied for each

check box that is selected. For example, users can be forced to change their

passwords every 20 days, and every 10 logins, and to receive warnings and grace

periods accordingly.

If no options are selected, passwords never expire.

Unlike most other parameters, which have corresponding settings at the user level,

password aging parameters are configured only on a group basis.

Users who fail authentication because they have not changed their passwords and

have exceeded their grace periods are logged in the Failed Attempts log. The

accounts expire and appear in the Accounts Disabled list.

Before You Begin

• Verify that your AAA client is running the TACACS+ or RADIUS protocol.

(TACACS+ only supports password aging for device-hosted sessions.)

• Set up your AAA client to perform authentication and accounting using the

same protocol, either TACACS+ or RADIUS.

• Verify that you have configured your password validation options. For more

information, see Local Password Management, page 8-5.

• Set up your AAA client to use Cisco IOS Release 11.2.7 or later and to send

a watchdog accounting packet (aaa accounting new-info update) with the IP

address of the calling station.

previous next