Cisco Systems 3.3 Manual De Usuario
6-21
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 6 User Group Management
Configuration-specific User Group Settings
Enabling Password Aging for the CiscoSecure User Database
The password aging feature of Cisco Secure ACS enables you to force users to
change their passwords under one or more of the following conditions:
change their passwords under one or more of the following conditions:
•
After a specified number of days (age-by-date rules).
•
After a specified number of logins (age-by-uses rules).
•
The first time a new user logs in (password change rule).
Varieties of Password Aging Supported by Cisco Secure ACS
Cisco Secure ACS supports four distinct password aging mechanisms:
•
PEAP and EAP-FAST Windows Password Aging—Users must be in the
Windows user database and be using a Microsoft client that supports EAP,
such as Windows XP. For information on the requirements and configuration
of this password aging mechanism, see
Windows user database and be using a Microsoft client that supports EAP,
such as Windows XP. For information on the requirements and configuration
of this password aging mechanism, see
•
RADIUS-based Windows Password Aging—Users must be in the Windows
user database and be using the Windows Dial-up Networking (DUN) client.
For information on the requirements and configuration of this password aging
mechanism, see
user database and be using the Windows Dial-up Networking (DUN) client.
For information on the requirements and configuration of this password aging
mechanism, see
.
•
Password Aging for Device-hosted Sessions—Users must be in the
CiscoSecure user database, the AAA client must be running TACACS+, and
the connection must use Telnet. You can control the ability of users to change
passwords during a device-hosted Telnet session. You can also control
whether Cisco Secure ACS propagates passwords changed by this feature.
For more information, see
CiscoSecure user database, the AAA client must be running TACACS+, and
the connection must use Telnet. You can control the ability of users to change
passwords during a device-hosted Telnet session. You can also control
whether Cisco Secure ACS propagates passwords changed by this feature.
For more information, see
•
Password Aging for Transit Sessions—Users must be in the CiscoSecure
user database. Users must use a PPP dialup client. Further, the end-user client
must have CiscoSecure Authentication Agent (CAA) installed.
user database. Users must use a PPP dialup client. Further, the end-user client
must have CiscoSecure Authentication Agent (CAA) installed.
Tip
The CAA software is available at
Also, to run password aging for transit sessions, the AAA client can be
running either RADIUS or TACACS+; and the AAA client must be using
Cisco IOS Release 11.2.7 or later and be configured to send a watchdog
accounting packet (aaa accounting new-info update) with the IP address of
running either RADIUS or TACACS+; and the AAA client must be using
Cisco IOS Release 11.2.7 or later and be configured to send a watchdog
accounting packet (aaa accounting new-info update) with the IP address of