Cisco Systems 3.3

Chapter 6 User Group Management

Configuration-specific User Group Settings

6-22

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

the calling station. (Watchdog packets are interim packets sent periodically

during a session. They provide an approximate session length in the event that

no stop packet is received to mark the end of the session.)

You can control whether Cisco Secure ACS propagates passwords changed

by this feature. For more information, see Local Password Management,

page 8-5.

Cisco Secure ACS supports password aging using the RADIUS protocol under

MS CHAP versions 1 and 2. Cisco Secure ACS does not support password aging

over Telnet connections using the RADIUS protocol.

Caution If a user with a RADIUS connection tries to make a Telnet connection to the AAA

client during or after the password aging warning or grace period, the change

password option does not appear, and the user account is expired.

Password Aging Feature Settings

This section details only the Password Aging for Device-hosted Sessions and

Password Aging for Transit Sessions mechanisms. For information on the

Windows Password Aging mechanism, see Enabling Password Aging for Users in

Windows Databases, page 6-26. For information on configuring local password

validation options, see Local Password Management, page 8-5.

Note The password aging feature does not operate correctly if you also use the callback

feature. When callback is used, users cannot receive password aging messages at

The password aging feature in Cisco Secure ACS has the following options:

•Apply age-by-date rules—Selecting this check box configures Cisco Secure

ACS to determine password aging by date. The age-by-date rules contain the

following settings:

–

Active period—The number of days users will be allowed to log in

before being prompted to change their passwords. For example, if you

enter 20, users can use their passwords for 20 days without being

prompted to change them. The default Active period is 20 days.

–

Warning period—The number of days users will be notified to change

their passwords. The existing password can be used, but the Cisco Secure

ACS presents a warning indicating that the password must be changed