Filter
Top Products
Chapter 6 Setting Up and Managing User Groups
Configuration-specific User Group Settings
6-20
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Enabling Password Aging for the CiscoSecure User Database
The password aging feature of Cisco Secure ACS enables you to force users to
change their passwords under one or more of the following conditions:
• After a specified number of days (age-by-date rules)
• After a specified number of logins (age-by-uses rules)
• The first time a new user logs in (password change rule)
Varieties of Password Aging Supported by Cisco Secure ACS
Cisco Secure ACS supports three distinct password aging mechanisms, as
follows:
• Windows NT/2000 Password Aging—Users must be in the
Windows NT/2000 database and be using the Windows Dial-up Networking
(DUN) client. For information on the requirements and configuration of this
password aging mechanism, see the “Enabling Password Aging for Users in
Windows Databases” section on page 6-25.
• Password Aging for Device-hosted Sessions—Users must be in the
CiscoSecure user database, the AAA client must be running TACACS+, and
the connection must use Telnet.
• Password Aging for Transit Sessions—Users must be in the CiscoSecure
user database. Users must be using the Windows 95/98/ME, Windows NT
3.51, Windows NT 4.0, Windows 2000 DUN client, or another PPP dialup
client. Further, the end-user client must have CiscoSecure Authentication
Agent (CAA) installed in Windows 95/98/ME or Windows NT/2000.
Tip The CAA software is available at http://www.cisco.com.
Also, to run password aging for transit sessions, the AAA client can be
running either RADIUS or TACACS+; and the AAA client must be using
Cisco IOS Release 11.2.7 or later and be configured to send a “watchdog”
accounting packet (aaa accounting new-info update) with the IP address of
the calling station. (Watchdog packets are interim packets sent periodically
during a session. They enable an approximation of session length in the event
that the AAA client fails and, thereby, no stop packet is received to mark the
end of the session.)