Cisco 3.3 User Manual

Page 212

Advertising
background image

Chapter 6 User Group Management

Configuration-specific User Group Settings

6-22

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

the calling station. (Watchdog packets are interim packets sent periodically
during a session. They provide an approximate session length in the event that
no stop packet is received to mark the end of the session.)

You can control whether Cisco Secure ACS propagates passwords changed
by this feature. For more information, see

Local Password Management,

page 8-5

.

Cisco Secure ACS supports password aging using the RADIUS protocol under
MS CHAP versions 1 and 2. Cisco Secure ACS does not support password aging
over Telnet connections using the RADIUS protocol.

Caution

If a user with a RADIUS connection tries to make a Telnet connection to the AAA
client during or after the password aging warning or grace period, the change
password option does not appear, and the user account is expired.

Password Aging Feature Settings

This section details only the Password Aging for Device-hosted Sessions and
Password Aging for Transit Sessions mechanisms. For information on the
Windows Password Aging mechanism, see

Enabling Password Aging for Users in

Windows Databases, page 6-26

. For information on configuring local password

validation options, see

Local Password Management, page 8-5

.

Note

The password aging feature does not operate correctly if you also use the callback
feature. When callback is used, users cannot receive password aging messages at
login.

The password aging feature in Cisco Secure ACS has the following options:

Apply age-by-date rules—Selecting this check box configures Cisco Secure
ACS to determine password aging by date. The age-by-date rules contain the
following settings:

Active period—The number of days users will be allowed to log in
before being prompted to change their passwords. For example, if you
enter 20, users can use their passwords for 20 days without being
prompted to change them. The default Active period is 20 days.

Warning period—The number of days users will be notified to change
their passwords. The existing password can be used, but the Cisco Secure
ACS presents a warning indicating that the password must be changed

Advertising
Popular Brands
Popular manuals