Cisco 2509 - Router - EN User Manual page 186

Configuration-specific User Group Settings
Tip
•
Tip
Users whose Windows accounts reside in "remote" domains (that is, not the
domain within which Cisco Secure ACS is running) can only use the
Windows-based password aging if they supply their domain names.
The methods and functionality of Windows password aging differ according to
whether you are using Windows NT or Windows 2000, and whether you employ
Active Directory (AD) or Security Accounts Manager (SAM). Setting password
aging for users in the Windows NT/2000 database is only one part of the larger
task of setting security policies in Windows. For comprehensive information on
Windows procedures, refer to your Windows NT/2000 system documentation.
User Guide for Cisco Secure ACS for Windows Server
6-26
For information on enabling MS CHAP for password changes, see
Configuring a Windows NT/2000 External User Database, page
For information on enabling MS CHAP in System Configuration, see
Global Authentication Setup, page
EAP-GTC password aging—EAP-GTC password aging depends upon the
PEAP(EAP-GTC) authentication protocol to send and receive the password
change messages. Requirements for implementing the EAP-GTC Windows
password aging mechanism include the following:
The AAA client must support EAP.
–
Users must be in a Windows NT/2000 database.
–
– Users must be using an EAP-compliant Microsoft client, such as
Windows XP.
– You must enable PEAP on the Global Authentication Configuration page
within the System Configuration section.
For information on enabling PEAP in System Configuration, see
Authentication Setup, page
Chapter 6 Setting Up and Managing User Groups
8-81.
8-81.
11-14.
Global
78-14696-01, Version 3.1