Password aging – Cisco 3.3 User Manual
Page 55
1-15
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 1 Overview
AAA Server Functions and Concepts
•
Outbound passwords—The TACACS+ protocol supports outbound
passwords that can be used, for example, when a AAA client has to be
authenticated by another AAA client and end-user client. Passwords from the
CiscoSecure user database are then sent back to the second AAA client and
end-user client.
•
Token caching—When token caching is enabled, ISDN users can connect
(for a limited time) a second B Channel using the same OTP entered during
original authentication. For greater security, the B-Channel authentication
request from the AAA client should include the OTP in the username value
(for example, Fredpassword) while the password value contains an
ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then
verify that the token is still cached and validate the incoming password
against either the single ASCII/PAP/ARAP or separate CHAP/ARAP
password, depending on the configuration the user employs.
The TACACS+ SENDAUTH feature enables a AAA client to authenticate
itself to another AAA client or an end-user client via outbound
authentication. The outbound authentication can be PAP, CHAP, or ARAP.
With outbound authentication, the Cisco Secure ACS password is given out.
By default, ASCII/PAP or CHAP/ARAP password is used, depending on how
this has been configured; however, we recommend that the separate
SENDAUTH password be configured for the user so that Cisco Secure ACS
inbound passwords are never compromised.
If you want to use outbound passwords and maintain the highest level of security,
we recommend that you configure users in the CiscoSecure user database with an
outbound password that is different from the inbound password.
Password Aging
With Cisco Secure ACS you can choose whether and how you want to employ
password aging. Control for password aging may reside either in the CiscoSecure
user database, or in a Windows user database. Each password aging mechanism
differs as to requirements and setting configurations.
The password aging feature controlled by the CiscoSecure user database enables
you force users to change their passwords under any of the following conditions:
•
After a specified number of days.
•
After a specified number of logins.
•
The first time a new user logs in.