13-25
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 13 User Databases
Windows User Database
User-Changeable Passwords with Windows User Databases
For network users who are authenticated by a Windows user database,
Cisco Secure ACS supports user-changeable passwords upon password
expiration. You can enable this feature in the MS-CHAP Settings and Windows
EAP Settings tables on the Windows User Database Configuration page in the
External User Databases section. Using this feature in your network requires the
following:
• Users must be present in the Windows Active Directory or SAM user
database.
• User accounts in Cisco Secure ACS must specify the Windows user database
for authentication.
• End-user clients must be compatible with MS-CHAP, PEAP(EAP-GTC),
PEAP(EAP-MSCHAPv2), or EAP-FAST.
• The AAA client that the end-user clients connect to must support the
applicable protocols:
–
For MS-CHAP password aging, the AAA client must support
RADIUS-based MS-CHAP authentication.
–
For PEAP(EAP-MSCHAPv2), PEAP(EAP-GTC), and EAP-FAST
password aging, the AAA client must support EAP.
When the conditions above are met and this feature is enabled, users receive a
dialog box prompting them to change their passwords upon their first successful
authentication after their passwords have expired. The dialog box is the same as
presented to users by Windows when a user with an expired password accesses a
network via a remote access server.
For more information about password aging support in Cisco Secure ACS, see
Enabling Password Aging for Users in Windows Databases, page 6-26.