Cisco Systems Servers Manuale Utente
1-13
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
78-13751-01, Version 3.0
Chapter 1 Overview of Cisco Secure ACS
AAA Server Functions and Concepts
request from the AAA client should include the OTP in the username value
(for example Fredpassword) while the password value contains an
ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then
verify that the token is still cached and validate the incoming password
against either the single ASCII/PAP/ARAP or separate CHAP/ARAP
password, depending on the user’s configuration.
(for example Fredpassword) while the password value contains an
ASCII/PAP/ARAP password. The TACACS+ and RADIUS servers then
verify that the token is still cached and validate the incoming password
against either the single ASCII/PAP/ARAP or separate CHAP/ARAP
password, depending on the user’s configuration.
The TACACS+ SENDAUTH feature enables a AAA client to authenticate
itself to another AAA client or an end-user client via outbound
authentication. The outbound authentication can be PAP, CHAP, or ARAP.
With outbound authentication, the Cisco Secure ACS password is given out.
By default, the user’s ASCII/PAP or CHAP/ARAP password is used,
depending on how this has been configured; however, we recommend that the
separate SENDAUTH password be configured for the user so that
Cisco Secure ACS inbound passwords are never compromised.
itself to another AAA client or an end-user client via outbound
authentication. The outbound authentication can be PAP, CHAP, or ARAP.
With outbound authentication, the Cisco Secure ACS password is given out.
By default, the user’s ASCII/PAP or CHAP/ARAP password is used,
depending on how this has been configured; however, we recommend that the
separate SENDAUTH password be configured for the user so that
Cisco Secure ACS inbound passwords are never compromised.
If you want to use outbound passwords and maintain the highest level of security,
we recommend that you configure users in the CiscoSecure user database with an
outbound password that is different from the inbound password.
we recommend that you configure users in the CiscoSecure user database with an
outbound password that is different from the inbound password.
Password Aging
With Cisco Secure ACS you can choose whether and how you want to employ
password aging. Control for password aging may reside either in the CiscoSecure
user database, or in the Windows NT/2000 directory. Each password aging
mechanism differs as to requirements and setting configurations.
password aging. Control for password aging may reside either in the CiscoSecure
user database, or in the Windows NT/2000 directory. Each password aging
mechanism differs as to requirements and setting configurations.
The password aging feature controlled by the CiscoSecure user database enables
you force users to change their passwords under any of the following conditions:
you force users to change their passwords under any of the following conditions:
•
After a specified number of days
•
After a specified number of logins
•
The first time a new user logs in
For information on the requirements and configuration of the password aging
feature controlled by the CiscoSecure user database, see the
feature controlled by the CiscoSecure user database, see the
The Windows NT/2000-based password aging feature enables you to control the
following password aging parameters:
following password aging parameters:
•
Maximum password age in days
•
Minimum password age in days