11-13
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
Chapter 11 Working with User Databases
Windows NT/2000 User Database
Note
If your Domain List contains domains and your Windows SAM or Active
Directory user databases are configured to lock out users after a number of failed
attempts, users can be inadvertently locked out because Cisco Secure ACS tries
each domain in the Domain List explicitly, resulting in failed attempts for
identical usernames that reside in different domains.
User-Changeable Passwords with Windows NT/2000 User
Databases
For network users who are authenticated by a Windows NT/2000 user database,
Cisco Secure ACS supports the user-changeable passwords upon password
expiration. You can enable this feature in the MS-CHAP Settings on the Windows
NT/2000 User Database Configuration page in the External User Databases
section. Using this feature in your network requires the following:
•
Users must be present in the Windows NT/2000 user database.
•
User accounts in Cisco Secure ACS must specify the Windows NT/2000 user
database for authentication.
•
End-user clients must be MS-CHAP compatible, such as the Windows dial-up
networking client.
•
The AAA client that the end-user clients connect to must use RADIUS for
authentication requests sent to Cisco Secure ACS.
•
The AAA client that the end-user clients connect to must support MS-CHAP.
When the conditions above are met and this feature is enabled, users receive a
dialog box prompting them to change their passwords upon their first successful
authentication after their passwords have expired. The dialog box is the same as
presented to users by Windows when a user with an expired password accesses a
network via a remote access server.