Chapter 6 Setting Up and Managing User Groups
Configuration-specific User Group Settings
6-22
User Guide for Cisco Secure ACS for Windows Server
78-14696-01, Version 3.1
–
Warning period—The number of days users will be notified to change
their passwords. The existing password can be used, but the
Cisco Secure ACS presents a warning indicating that the password must
be changed and displays the number of days left before the password
expires. For example, if you enter 5 in this box and 20 in the Active
period box, users will be notified to change their passwords on the 21st
through 25th days.
–
Grace period—The number of days to provide as the user grace period.
The grace period allows a user to log in once to change the password. The
existing password can be used one last time after the number of days
specified in the active and warning period fields has been exceeded.
Then, a dialog box warns the user that the account will be disabled if the
password is not changed, and enables the user to change it. Continuing
with the examples above, if you allow a 5-day grace period, a user who
did not log in during the active and warning periods would be permitted
to change passwords up to and including the 30th day. However, even
though the grace period is set for 5 days, a user is allowed only one
attempt to change the password when the password is in the grace period.
Cisco Secure ACS displays the “last chance” warning only once. If the
user does not change the password, this login is still permitted, but the
password expires, and the next authentication is denied. An entry is
logged in the Failed-Attempts log, and the user must contact an
administrator to have the account reinstated.
Note
All passwords expire at midnight, not the time at which they were set.
•
Apply age-by-uses rules—Selecting this check box configures
Cisco Secure ACS to determine password aging by the number of logins. The
age-by-uses rules contain the following settings:
–
Issue warning after x logins—The number of the login upon which
Cisco Secure ACS begins prompting users to change their passwords.
For example, if you enter 10, users are allowed to log in 10 times without
a change-password prompt. On the 11th login, they are prompted to
change their passwords.
Tip
To allow users to log in an unlimited number of times without changing
their passwords, type -1.