Chapter6 Setting Up and Managing User Groups
Configuration-specific User Group Settings
6-22
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
disabled if the password is not changed, and enables the user to change
it. Continuing with the examples above, if you allow a 5-day grace
period, a user who did not log in during the active and warning periods
would be permitted to change passwords up to and including the 30th
day. However, even though the grace period is set for 5 days, a user is
allowed only one attempt to change the password when the password is
in the grace period. Cisco Secure ACS displays the “last chance”
warning only once. If the user does not change the password, this login
is still permitted, but the password expires, and the next authentication is
denied. An entry is logged in the Failed-Attempts log, and the user must
contact an administrator to have the account reinstated.
Note All passwords expire at midnight, not the time at which they were set.
•Apply age-by-uses rules—Selecting this check box configures
Cisco Secure ACS to determine password aging by the number of logins. The
age-by-uses rules contain the following settings:
–
Issue warning after x logins—The number of the login upon which
Cisco Secure ACS begins prompting users to change their passwords.
For example, if you enter 10, users are allowed to log in 10 times without
a change-password prompt. On the 11th login, they are prompted to
change their passwords.
Tip To allow users to log in an unlimited number of times without changing their
passwords, type -1.
–
Require change after x logins—The number of the login upon which to
notify users that they must to change their passwords. Continuing with
the previous example, if this number is 12, users receive prompts
requesting them to change their passwords on their 11th and 12th logins.
On the 13th login, they receive a prompt telling them that they must
change their passwords. If users do not change their passwords now, their
accounts expire and they cannot log in. This number must be greater than
the Issue warning after x login number.