Table of Contents
Advertisement
Chapter 6
Setting Up and Managing User Groups
Enabling Password Aging for Users in Windows Databases
Tip
Note
78-13751-01, Version 3.0
The Windows NT/2000 Password Aging mechanism is separate and distinct from
the other Cisco Secure ACS password aging mechanisms. For information on the
requirements and settings for the password aging mechanisms that control users
in the CiscoSecure user database, see the
CiscoSecure User Database" section on page
implementing the Windows NT/2000 Password Aging mechanism include the
following:
Communication between Cisco Secure ACS and the AAA client must use
•
RADIUS.
The AAA client must support MS CHAP password aging in addition to MS
•
CHAP authentication.
Users must be in a Windows NT/2000 database.
•
•
Users must use the Windows DUN client.
You must enable MS CHAP version 1 or MS CHAP version 2, or both, in the
•
Windows NT/2000 configuration within the External User Databases section.
(Cisco IOS devices support password aging only in MS CHAP version 2.)
For information on enabling MS CHAP for password changes, see the
"Configuring a Windows NT/2000 External User Database" section on
page
11-13. For information on enabling MS CHAP in System Configuration,
see the
"Global Authentication Setup" section on page
You can run both the Windows NT/2000 Password Aging and the
Cisco Secure ACS Password Aging for Transit Sessions mechanisms,
concurrently, provided that the users authenticate from the two different
databases.
Users whose Windows accounts reside in "remote" domains (that is, not the
domain within which Cisco Secure ACS is running) can only use the
Windows-based password aging if they supply their domain name.
Cisco Secure ACS 3.0 for Windows 2000/NT Servers User Guide
Configuration-specific User Group Settings
"Enabling Password Aging for the
6-20. Requirements for
8-73.
6-25
Advertisement
Table of Contents
Troubleshooting
