Filter
Top Products
6-25
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter 6 Setting Up and Managing User Groups
Configuration-specific User Group Settings
Enabling Password Aging for Users in Windows Databases
The Windows NT/2000 Password Aging mechanism is separate and distinct from
the other Cisco Secure ACS password aging mechanisms. For information on the
requirements and settings for the password aging mechanisms that control users
in the CiscoSecure user database, see the “Enabling Password Aging for the
CiscoSecure User Database” section on page 6-20. Requirements for
implementing the Windows NT/2000 Password Aging mechanism include the
following:
• Communication between Cisco Secure ACS and the AAA client must use
RADIUS.
• The AAA client must support MS CHAP password aging in addition to MS
CHAP authentication.
• Users must be in a Windows NT/2000 database.
• Users must use the Windows DUN client.
• You must enable MS CHAP version 1 or MS CHAP version 2, or both, in the
Windows NT/2000 configuration within the External User Databases section.
(Cisco IOS devices support password aging only in MS CHAP version 2.)
Tip For information on enabling MS CHAP for password changes, see the
“Configuring a Windows NT/2000 External User Database” section on
page 11-13. For information on enabling MS CHAP in System Configuration,
see the “Global Authentication Setup” section on page 8-73.
Note You can run both the Windows NT/2000 Password Aging and the
Cisco Secure ACS Password Aging for Transit Sessions mechanisms,
concurrently, provided that the users authenticate from the two different
databases.
Users whose Windows accounts reside in “remote” domains (that is, not the
domain within which Cisco Secure ACS is running) can only use the
Windows-based password aging if they supply their domain name.