Cisco Systems Servers Manuale Utente

The Windows NT/2000 Password Aging mechanism is separate and distinct from 
the other Cisco Secure ACS password aging mechanisms. For information on the 
requirements and settings for the password aging mechanisms that control users 
in the CiscoSecure user database, see the 

. Requirements for 

implementing the Windows NT/2000 Password Aging mechanism include the 
following:

Communication between Cisco Secure ACS and the AAA client must use 
RADIUS.

The AAA client must support MS CHAP password aging in addition to MS 
CHAP authentication.

Users must be in a Windows NT/2000 database.

Users must use the Windows DUN client.

You must enable MS CHAP version 1 or MS CHAP version 2, or both, in the 
Windows NT/2000 configuration within the External User Databases section. 
(Cisco IOS devices support password aging only in MS CHAP version 2.) 

For information on enabling MS CHAP for password changes, see the 

. For information on enabling MS CHAP in System Configuration, 

see the 

You can run both the Windows NT/2000 Password Aging and the 
Cisco Secure ACS Password Aging for Transit Sessions mechanisms, 
concurrently, provided that the users authenticate from the two different 
databases.

Users whose Windows accounts reside in “remote” domains (that is, not the 
domain within which Cisco Secure ACS is running) can only use the 
Windows-based password aging if they supply their domain name.