Enabling password – Cisco 3.3 User Manual

Page 211

Advertising
background image

6-21

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 6 User Group Management

Configuration-specific User Group Settings

Enabling Password Aging for the CiscoSecure User Database

The password aging feature of Cisco Secure ACS enables you to force users to
change their passwords under one or more of the following conditions:

After a specified number of days (age-by-date rules).

After a specified number of logins (age-by-uses rules).

The first time a new user logs in (password change rule).

Varieties of Password Aging Supported by Cisco Secure ACS

Cisco Secure ACS supports four distinct password aging mechanisms:

PEAP and EAP-FAST Windows Password Aging—Users must be in the
Windows user database and be using a Microsoft client that supports EAP,
such as Windows XP. For information on the requirements and configuration
of this password aging mechanism, see

Enabling Password Aging for Users

in Windows Databases, page 6-26

.

RADIUS-based Windows Password Aging—Users must be in the Windows
user database and be using the Windows Dial-up Networking (DUN) client.
For information on the requirements and configuration of this password aging
mechanism, see

Enabling Password Aging for Users in Windows Databases,

page 6-26

.

Password Aging for Device-hosted Sessions—Users must be in the
CiscoSecure user database, the AAA client must be running TACACS+, and
the connection must use Telnet. You can control the ability of users to change
passwords during a device-hosted Telnet session. You can also control
whether Cisco Secure ACS propagates passwords changed by this feature.
For more information, see

Local Password Management, page 8-5

.

Password Aging for Transit Sessions—Users must be in the CiscoSecure
user database. Users must use a PPP dialup client. Further, the end-user client
must have CiscoSecure Authentication Agent (CAA) installed.

Tip

The CAA software is available at

http://www.cisco.com

.

Also, to run password aging for transit sessions, the AAA client can be
running either RADIUS or TACACS+; and the AAA client must be using
Cisco IOS Release 11.2.7 or later and be configured to send a watchdog
accounting packet (aaa accounting new-info update) with the IP address of

Advertising
Popular Brands
Popular manuals