6-21
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter6 Setting Up and Managing User Groups Configuration-specific User Group Settings
Cisco Secure ACS supports password aging using the RADIUS protocol under
MS CHAP versions 1 and 2. Cisco Secure ACS does not support password aging
over Telnet connections using the RADIUS protocol.
Caution If a user employing a RADIUS connection tries to make a Telnet connection
to the AAA client during or after the password aging warning or grace period,
the change password option does not appear, and the user’s account is expired.
Password Aging Feature SettingsThis section details only the Password Aging for Device-hosted Sessions and
Password Aging for Transit Sessions mechanisms. For information on the
Windows NT/2000 Password Aging mechanism and the Windows 2000 DUN
client, see the “Enabling Password Aging for Users in Windows Databases”
section on page 6-25.
The password aging feature in Cisco Secure ACS has the following major and
minor options:
•Apply age-by-date rules—Selecting this check box configures
Cisco Secure ACS to determine password aging by date. The age-by-date
rules contain the following settings:
–
Active period—The number of days users will be allowed to log in
before being prompted to change their passwords. For example, if you
enter 20, users can use their passwords for 20 days without being
prompted to change them. The default Active period is 20 days.
–
Warni ng p eri o d—The number of days users will be notified to change
their passwords. The user’s existing password can be used, but the
Cisco Secure ACS presents a warning indicating that the password must
be changed and displays the number of days left before the password
expires. For example, if you enter 5 in this box and 20 in the Active
period box, users will be notified to change their passwords on the 21st
through 25th days.
–
Grace period—The number of days to provide as the users’ grace
period. The grace period allows a user to log in once to change the
password. The existing password can be used one last time after the
number of days specified in the active and warning period fields has been
exceeded. Then, a dialog box warns the user that the account will be