beautypg.com

Cisco 3.3 User Manual

Page 213

background image

6-23

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 6 User Group Management

Configuration-specific User Group Settings

and displays the number of days left before the password expires. For
example, if you enter 5 in this box and 20 in the Active period box, users
will be notified to change their passwords on the 21st through 25th days.

Grace period—The number of days to provide as the user grace period.
The grace period allows a user to log in once to change the password. The
existing password can be used one last time after the number of days
specified in the active and warning period fields has been exceeded.
Then, a dialog box warns the user that the account will be disabled if the
password is not changed, and enables the user to change it. Continuing
with the examples above, if you allow a 5-day grace period, a user who
did not log in during the active and warning periods would be permitted
to change passwords up to and including the 30th day. However, even
though the grace period is set for 5 days, a user is allowed only one
attempt to change the password when the password is in the grace period.
Cisco Secure ACS displays the “last chance” warning only once. If the
user does not change the password, this login is still permitted, but the
password expires, and the next authentication is denied. An entry is
logged in the Failed-Attempts log, and the user must contact an
administrator to have the account reinstated.

Note

All passwords expire at midnight, not the time at which they were set.

Apply age-by-uses rules—Selecting this check box configures Cisco Secure
ACS to determine password aging by the number of logins. The age-by-uses
rules contain the following settings:

Issue warning after x logins—The number of the login upon which
Cisco Secure ACS begins prompting users to change their passwords. For
example, if you enter 10, users are allowed to log in 10 times without a
change-password prompt. On the 11th login, they are prompted to change
their passwords.

Tip

To allow users to log in an unlimited number of times without changing their
passwords, type -1.

Require change after x logins—The number of the login after which to
notify users that they must to change their passwords. Continuing with
the previous example, if this number is set to 12, users receive prompts