Chapter11 Working with User Databases
Windows NT/2000 User Database
11-12
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
User-Changeable Passwords with Windows NT/2000 User DatabasesFor network users who are authenticated by a Windows NT/2000 user database,
Cisco Secure ACS supports the user-changeable passwords upon password
expiration. You can enable this feature in the MS-CHAP Settings on the W indo ws
NT/2000 User Database Configuration page in the External User Databases
section. Using this feature in your network requires the following:
•Users must be present in the Windows NT/2000 user database
•User accounts in Cisco Secure ACS must specify the Windows NT/2000 user
database for authentication
•End-user clients must be MS-CHAP compatible, such as the Windows dial-up
networking client
•The network devices the end-user clients connect to must use RADIUS for
authentication requests sent to Cisco Secure ACS
When the conditions above are met and this feature is enabled, users receive a
dialog box prompting them to change their passwords upon their first successful
authentication after their passwords have expired. The dialog box is the same as
presented to users by Windows when a user with an expired password accesses a
network via a remote access server.
Preparing Users for Authenticating with Windows NT/2000Before using the WindowsNT/2000 user database for authentication, follow these
steps:
Step 1 Make sure the username exists in the Windows NT/2000 user database.
Step 2 In the Windows NT User Manager or in Windows 2000 Active Directory Users
and Computers, clear the following User Properties check boxes:
•User must change password at next logon
•Account disabled