Cisco Systems Servers Manuale Utente
6-21
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter 6 Setting Up and Managing User Groups
Configuration-specific User Group Settings
Cisco Secure ACS supports password aging using the RADIUS protocol under
MS CHAP versions 1 and 2. Cisco Secure ACS does not support password aging
over Telnet connections using the RADIUS protocol.
MS CHAP versions 1 and 2. Cisco Secure ACS does not support password aging
over Telnet connections using the RADIUS protocol.
Caution
If a user employing a RADIUS connection tries to make a Telnet connection
to the AAA client during or after the password aging warning or grace period,
the change password option does not appear, and the user’s account is expired.
to the AAA client during or after the password aging warning or grace period,
the change password option does not appear, and the user’s account is expired.
Password Aging Feature Settings
This section details only the Password Aging for Device-hosted Sessions and
Password Aging for Transit Sessions mechanisms. For information on the
Windows NT/2000 Password Aging mechanism and the Windows 2000 DUN
client, see the
Password Aging for Transit Sessions mechanisms. For information on the
Windows NT/2000 Password Aging mechanism and the Windows 2000 DUN
client, see the
The password aging feature in Cisco Secure ACS has the following major and
minor options:
minor options:
•
Apply age-by-date rules—Selecting this check box configures
Cisco Secure ACS to determine password aging by date. The age-by-date
rules contain the following settings:
Cisco Secure ACS to determine password aging by date. The age-by-date
rules contain the following settings:
–
Active period—The number of days users will be allowed to log in
before being prompted to change their passwords. For example, if you
enter 20, users can use their passwords for 20 days without being
prompted to change them. The default Active period is 20 days.
before being prompted to change their passwords. For example, if you
enter 20, users can use their passwords for 20 days without being
prompted to change them. The default Active period is 20 days.
–
Warning period—The number of days users will be notified to change
their passwords. The user’s existing password can be used, but the
Cisco Secure ACS presents a warning indicating that the password must
be changed and displays the number of days left before the password
expires. For example, if you enter 5 in this box and 20 in the Active
period box, users will be notified to change their passwords on the 21st
through 25th days.
their passwords. The user’s existing password can be used, but the
Cisco Secure ACS presents a warning indicating that the password must
be changed and displays the number of days left before the password
expires. For example, if you enter 5 in this box and 20 in the Active
period box, users will be notified to change their passwords on the 21st
through 25th days.
–
Grace period—The number of days to provide as the users’ grace
period. The grace period allows a user to log in once to change the
password. The existing password can be used one last time after the
number of days specified in the active and warning period fields has been
exceeded. Then, a dialog box warns the user that the account will be
period. The grace period allows a user to log in once to change the
password. The existing password can be used one last time after the
number of days specified in the active and warning period fields has been
exceeded. Then, a dialog box warns the user that the account will be