Cisco Systems Servers Manuale Utente

For network users who are authenticated by a Windows NT/2000 user database, 
Cisco Secure ACS supports the user-changeable passwords upon password 
expiration. You can enable this feature in the MS-CHAP Settings on the Windows 
NT/2000 User Database Configuration page in the External User Databases 
section. Using this feature in your network requires the following:

Users must be present in the Windows NT/2000 user database

User accounts in Cisco Secure ACS must specify the Windows NT/2000 user 
database for authentication

End-user clients must be MS-CHAP compatible, such as the Windows dial-up 
networking client

The network devices the end-user clients connect to must use RADIUS for 
authentication requests sent to Cisco Secure ACS

When the conditions above are met and this feature is enabled, users receive a 
dialog box prompting them to change their passwords upon their first successful 
authentication after their passwords have expired. The dialog box is the same as 
presented to users by Windows when a user with an expired password accesses a 
network via a remote access server.

Before using the Windows NT/2000 user database for authentication, follow these 
steps:

Make sure the username exists in the Windows NT/2000 user database.

In the Windows NT User Manager or in Windows 2000 Active Directory Users 
and Computers, clear the following User Properties check boxes: