ACS 5.3 UCP Password Change

Similar Messages

• ACS Appliance - Local User Password Changing Options

  I am configuring a pair of 1113 appliances running ACS 4.2. The client wants to only user local user accounts stored in the ACS database for AAA on devices and LMS and Ops Manager logins. There are configurable password aging settings for users and groups. The question that I have is how are the users notified that their passwords are expired and ow can they change them? The customer uses only ssh for device management. Is the UCP utility still a requirement if an appliance is used as opposed to a standard Windows ACS installation. I also came across this bug:
  SCsj50218 Bug Details
  Password expiry feature should be support for users local to ACS
  Symptom:
  ACS currently does not support password expiry / password management feature for locally configured users.
  Conditions:
  users are configured locally on ACS as opposed to an external database such as active directory.
  Workaround:
  user external database / server where user profiles are setup.

  ACS supports Password Aging for Device-hosted Sessions-Users must be in the CiscoSecure user database, the AAA client must be running TACACS+, and the connection must use Telnet. You can control the ability of users to change passwords during a device-hosted Telnet session.
  You can also control whether Cisco Secure ACS propagates passwords changed by this
  feature.
  UCP is used in both appliance and window.
  Regards,
  ~JG
  Do rate helpful posts

• ACS 5.4 How to change CLI password?

  Anyone know how to change the ACS 5.4 CLI password?
  I found the command "acs reset-password".  But it seems to reset the GUI password instead of CLI password.
  Thank you very much!

  If you already know the current admin CLI password so to reset the password for the ACS CLI admin you'll have to use the "username" command.
  Reference:  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/command/reference/cli_app_a.html#wp1896348
  The DVD is used to reset the password in situations where the password has been lost/forgotten.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ACS 'Password Change Rule' doesn't work with telnet

  Hello:
  I am trying to configure that users have to change their passwords when they enter to a network appliance the first time they log in.
  I have an ACS 4.0 appliance, the option "Disable TELNET Change Password against this ACS and return the following message to the users telnet session" is disable. When I try to enter to a Catalyst 6500, for instance, I type user and pass and I get Rejected (RADIUS is the protocol used).
  In the ACS' reports I can see it appears the next error 'Authen Failed - CS Password Expired'.
  I only have enabled the option "Apply password change rule" in Group Settings, the others options for "Password Aging Rules" are deactivated.
  Thanks for your help,
  Francisco

  You'll need to be using TACACS+ to get password change to work.
  Doesnt work with RADIUS.

• How to edit the ACS Report Password Change Attempts by Non-Owner

  Hi,
  The scenario is the following: 1 SCOM 2007 R2 CU5 Server. ACS Installed.
  I need to add a column to the report "Password Change Attempts by Non-Owner"
  But, using SQL Server Reporting Services Report Builder 1.0, I get the following error:
  The question is:
  How to add a column in the report "Password Change Attempts by Non-Owner"?
  Thanks!

  Based on my understanding, this report could not be edited. You may need to try creating another report to achieve this:
  Some Custom ACS Reports
  http://blogs.technet.com/b/jimmyharper/archive/2009/12/10/some-custom-acs-reports.aspx
  Audit Report Scenarios: How to create custom reports with System Center Operations Manager 2007 R2 and Audit Collection Services (ACS)
  http://blogs.technet.com/b/nzdse/archive/2009/11/06/audit-scenarios-system-center-operations-manager-2007-r2-and-audit-collection-services-acs.aspx
  Hope this helps.
  Thanks.
  Nicholas Li
  TechNet Community Support

• Password change from SSH in Cisco Secure ACS 4.1

  I am using cisco ACS for windows Release 4.1(1) Build 23 Patch 5.
  I have enable password aging for 30 days. after 30 days it is prompting me to change the password while i telnet to any client. it is working fine.\
  Recently we have disabled telnet in all network devices and using ssh instead of telnet.
  Am not able to change the password from putty. same if i connect through the telnet it is prompting to change the password.
  Because of this i am not able to access any network devices after 30 days.
  Suggestions will be greatly appreciated.
  Thanks in advance.

  Went through this painful exercise a couple
  weeks ago. You need to use the IOS 12.4
  K9 image on the routers because password change
  only supports on ssh version 2. See example
  below:
  [Expert@P1-NGx]# ssh -2 -l ngx1 192.168.15.248
  [email protected]'s password:
  Password change request
  Enter [email protected]'s old password:
  Enter [email protected]'s new password:
  Retype [email protected]'s new password:
  C3640>sh ver
  Cisco IOS Software, 3600 Software (C3640-JK9O3S-M), Version 12.4(13a), RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2007 by Cisco Systems, Inc.
  Compiled Tue 06-Mar-07 20:25 by prod_rel_team
  ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
  C3640 uptime is 1 week, 5 days, 13 hours, 5 minutes
  System returned to ROM by reload at 03:18:41 UTC Fri Nov 28 2008
  System restarted at 03:20:58 UTC Fri Nov 28 2008
  System image file is "flash:c3640-jk9o3s-mz.124-13a.bin"
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco 3640 (R4700) processor (revision 0x00) with 98304K/32768K bytes of memory.
  Processor board ID 24829119
  R4700 CPU at 100MHz, Implementation 33, Rev 1.0
  2 FastEthernet interfaces
  4 Serial interfaces
  1 HSSI interface
  DRAM configuration is 64 bits wide with parity disabled.
  125K bytes of NVRAM.
  32768K bytes of processor board System flash (Read/Write)
  Configuration register is 0x2102
  C3640>
  Easy right?

• Using AnyConnect NAM for wireless and AD password changes

  Hi,
  I am having a problem with AD password changes and wireless profiles in AnyConnect. Once a user changes their password from their PC and then tries to connect to our WPA2 802.1x wireless it fails to authenticate and I cannot find a way to update the password that works. So we currently delete the wireless profile and create a new one. Is there a way that NAM could pull user/password from login or any other fix. We are also using ACS 4.1. AnyConnect version 3 to 3.0.5080.
  Thanks!                 

  In your anyconnect profile did you set the "use single sign on credentials"? Also did you try the repair option to see if it works after that (I am not suggesting a solution but for troubleshooting). Does logging on and off the machine help resolve the issue? Does this happen on all workstations?
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html#wp1166170
  Even though this is for user authentication this bug seems like a candidate:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx03814&from=summary
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• PASSWORD CHANGING BY FIRST LOGIN

  IS THERE ANYWAY I CAN CONFIGURE THE USER NAME PASSWORD FOR THE USER WHEN THE FISRT LOGGING THE CAN CHANGE THE PASSWORD THEMSELVES.

  You need to go to ACS--->System configuration--->Local password management -->Remote Change Password.
  Note: You can change a user password from the device using TACACS+ using chpass. This check box is used to disable the password change.
  Regards,
  ~JG
  Do rate helpful posts

• RBACx Encrypted Password Change Utility

  Hi all,
  In the OIA/SRM installation guide, there is a reference to a tool, to find out the password of rbacxservice.
  "Oracle Identity Analytics utilizes an encrypted password when communicating with the database.
  To change the default database password, use the RBACx Encrypted Password Change Utility"
  Could you please help me finding out this tool.
  Many thanks in advance.
  Warm regards,
  Manipradeep Sunku.

  The mentioned tool only encrypts the password so that you don't have to store a plain text password in the config file. It does not decrypt it. The default rbacxservice password is rbacxservice.
  The tool does not come with the OIA/SRM distribution so if you need it, you will need to contact support.

• User Password change fails in OWA 2013

  User Password change fails in OWA with this error: Your password couldn't be changed. Make sure the old password you typed is correct and that the new password meets the minimum security requirements.
  We are migrating from Exchange 2007 to Exchange 2013.  Have mailboxes in both environments.  OWA 2007 password changes succeed (user mailbox is still in Exchange 2007).  When the user mailbox is moved to Exchange 2013, password changes fail
  with the above error.
  We have the Exch 2013 servers are on Windows 2012 and we are running Exch 2013 CU3.   We have made changes to the Default Role Assignment Policy to prevent users from changing Contact information and setting user photos, etc.  We are not exactly
  sure when user password changes stopped working, or even if they ever did work, although we recently installed our Prod Exch 2013 servers alongside our 2007 servers without any RBAC delegation implemented and a quick test of a user password change was successful.
  I reversed all the changes to the Default Role Assignment Policy but the password change still fails.

  Hi,
  Please try the following steps in your CAS server:
  1. Click Start > Run and type regedit and click OK.
  2. Navigate to the "HKLM\SYSTEM\CurrentControlSet\Services\MSExchange OWA" key.
  3. Set the ChangeExpiredPasswordEnabled value from 1 to 0.
  4. Close regedit and re-open it.
  5. Set the ChangeExpiredPasswordEnabled value from 0 to 1.
  6. Close regedit.
  7. After you configure this DWORD value, please reset IIS. The recommended method to reset IIS is to use IISReset /noforce from a command prompt.
  Here is the similar thread about password change issue in Exchange 2013 CU3, please refer to:
  http://social.technet.microsoft.com/Forums/en-US/30b74c81-9b98-46f4-9ca0-1c3bb74f4a3f/users-with-expired-passwords-or-change-password-at-next-logon-unable-to-change-password-via-owa-in?forum=exchangesvrclients
  Hope it helps.
  Thanks,
  Winnie Liang
  TechNet Community Support

• Is autoconfig required to be run for apps password change

  Is autoconfig required to be run for apps password change -- We are only changing APPS and APPLSYS passwords.
  How to Change Applications Passwords using Applications Schema Password Change Utility (FNDCPASS or AFPASSWD) [ID 437260.1] -- does not mention anything about autoconfig.
  Please clarify.
  Thanks

  It's mentioned in the document twice
  1. For APPLSYSPUB/GUEST as you mentioned
  2. Under "Verify the new password" which cover the apps/applsys passwords
  If you search the doc for "AutoConfig" you will find it there.
  Thanks,
  Hussein

• Weblogic admin user password change w/o disrupting existing users

  Hi Folks,
  As a business policy we need to change the password of the admin user in weblogic after a cycle of specific period.
  Please let us now how can we do that without losing the other existing users in 'my realm.'
  I understand that we can use the weblogic.utils.security.AdminAcoount utility to give the new password, which will create a new DefaultAuthenticatorInit.ldift file in +<domain-home>/security+ folder (according to Doc ID 1082299.1).
  The password will change but the users in 'my realm' will be lost. (there are many users and it is a production environment so recreation is out-of- question)
  Is there a way we can retain the users and still proceed with the password change?
  Cheers,
  Jeegar

  Hi Jeegar,
  This can be doen by followin the standard procedure by login to console and navigate to :-
  DOMAIN_STRUCTURE--->Security Realm--->myrealm--->Users and Groups---->User tab click on the user weblogic
  --click on the password tab and put the new password there and save (password is changed for the user here)
  ---Logout from the console and login to the console again using the new password
  But when the server starts it do not read the password for the user directly from the realm rather it picked the same from the $DOMAIN_HOME/servers/AdminServer/security/boot.properties
  Now in order to make this change available when the server starts change the values for the username and password in boot.properties and specify them in plain-text and save the same.
  Now next time whenever the server will start it will pick up the new values from the boot.properties and once the same had been accepted those will be encrypted again.
  You might have to make the change for the boot.properties for all the Managed Server if you have the Managed Servers in the domain which will be located at the location $DOMAIN_HOME/servers/<<Managed Server Name>>/data/nodemanager/boot.properties
  You can test the steps on some lower environment first and try the same in Critical environment once the testing goes successful.
  Regards,
  Vijay
  Edited by: V Kumar on Oct 25, 2012 3:06 PM

• Airport Extreme WiFi password change

  I want to change the network password on my Airport router. When I open Airport Utility it attempts to locate the Airport base station but never finds it. It says "no configured Airport base stations have been found...will continue searching" The Airport is working and is connected to the Internet. I have Wifi access from this Mac & mobile devices in the house.
  Any ideas on what I can do to access the base station to make the password change?

  Also, is your Mac connected to the AirPort Extreme/Express (either by ethernet cable or the AirPort's own wifi) or might it have gotten connected to some other wifi network (possibly associated with your ISP's modem, gateway, or router)?

• Outlook 2013 - Password change breaks S/MIME Certs "An error occurred in the underlying security system. Key not valid for us in specified state."

  AD password change comes up, user changes password.
  Tries to send signed or encrypted email with a Comodo S/MIME certificate, and gets the following error:
  ""An error occurred in the underlying security system.  Key not valid for us in specified state."
  I now have two reports of this error - one on Windows 7, and one on Windows 8.0 (remote user).
  The one on Windows 8.0, we tried removing their S/MIME cert from Outlook/Windows and re-adding, this did NOT resolve the issue.
  Plan was originally to have the 8.0 user ship their machine in, and wipe it, since nothing else could fix it and I wasn't finding anyone else with the same issue.  Now that I've got a second user with the same issue, its looking like a bug/issue and
  not a random glitch.
  Thanks in advance for any and all help with this!

  Hi,
  Thank you for your question.
  I am trying to involve someone familiar with this topic to further look at this issue.
  Thanks,
  Melon Chen
  Forum Support
  Come back and mark the replies as answers if they help and unmark them if they provide no help.
  If you have any feedback on our support, please click
  here

• ORACLE Password Change using APEX FORM

  Greetings!
  I would like to find out, if there is a utility or a sample page that permits the Database password changes for the DB users within the Database. My goal is for users to maintain password using the Browser, instead of using SQL*Plus or similar Windows tools
  Thanks in advance for your help!
  Muni

  So if you and I can both authenticate to this application, we will necessarily have separate accounts, say in the Application Express account repository of that application's workspace. Our accounts will each have a password that is not synchronized with our database account password. The application will allow me (SCOTT) to change only the database account named SCOTT and will allow you (VIKAS) to change only the database account named VIKAS. That rule would make it unnecessary for the provided form to provide an input field for the database account name (it would be pre-populated). Unfortunately, the chosen authentication method requires each of us to remember our application password, and, if the application is built correctly, to remember our old database password as well. (Implementing that verification has its own issues.) If the application used LDAP then a mapping table would be needed to relate [email protected] to VIKAS. Every time a new database user needed the self-service password facility, a new user account (and a new password), and a new mapping table entry would have to be created. All of that complexity is eliminated if the application uses Database Account credentials authentication -- a new database user is created, the user can authenticate to the application and use it; the database user is removed, the user can no longer authenticate.
  Let's not confuse the aim of providing a self-service "change my database password" application (the original requirement) with the simpler task of providing a super-user-oriented database account management page (like we did in XE).
  Scott