6-23
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 6 Setting Up and Managing User Groups
Configuration-specific User Group Settings
–
Require change after x logins—The number of the login after which to
notify users that they must to change their passwords. Continuing with
the previous example, if this number is set to 12, users receive prompts
requesting them to change their passwords on their 11th and 12th login
attempts. On the 13th login attempt, they receive a prompt telling them
that they must change their passwords. If users do not change their
passwords now, their accounts expire and they cannot log in. This
number must be greater than the Issue warning after x login number.
Tip
To allow users to log in an unlimited number of times without changing
their passwords, type -1.
•
Apply password change rule—Selecting this check box forces new users to
change their passwords the first time they log in.
•
Generate greetings for successful logins—Selecting this check box enables
a Greetings message to display whenever users log in successfully via the
CAA client. The message contains up-to-date password information specific
to this user account.
The password aging rules are not mutually exclusive; a rule is applied for each
check box that is selected. For example, users can be forced to change their
passwords every 20 days, and every 10 logins, and to receive warnings and grace
periods accordingly.
If no options are checked, passwords never expire.
Unlike most other parameters, which have corresponding settings at the user level,
password aging parameters are configured only on a group basis.
Users who fail authentication because they have not changed their passwords and
have exceeded their grace periods are logged in the Failed Attempts log. The
accounts expire and appear in the Accounts Disabled list.
Before You Begin
•
Verify that your AAA client is running the or RADIUS protocol.
( only supports password aging for device-hosted sessions.)
•
Set up your AAA client to perform authentication and accounting using the
same protocol, either RADIUS.