Configuration Guide for Cisco Secure ACS 4.2
Chapter 5 Password Policy Configuration Scenario
Step 3: Configure Session Policy
Specify Password Inactivity Options
In the Password Inactivity Options section, configure:
• The password will require change after n days—Following the last account activity, if enabled, n
specifies the number of days before ACS requires a change of password due to password inactivity
The default value is 30 days; the range is 1 to 365 days. When checked (enabled), the Administrator
will be locked after n days option causes ACS to compare the two Password Inactivity Options and
use the greater value of the two.
Note For additional security, ACS does not warn users who are approaching the limit for password inactivity.
• The Administrator will be locked out after n days—Following the last account activity, if
enabled, n specifies the number of days before ACS locks out the associated administrator account
due to password inactivity (default = 30, range = 1 to 365).
Note For additional security, ACS does not warn users who are approaching the limit for account inactivity.
Specify Incorrect Password Attempt Options
In the Incorrect Password Attempt Options section, configure:
Lock out Administrator after n successive failed attempts—If checked (enabled), n specifies the
allowable number of incorrect password attempts. When checked, n cannot be set to zero (0). If not
checked (disabled), ACS allows unlimited successive failed login attempts. The default value is 3 days;
the range = 1 to 98 days.
Note For additional security, ACS does not warn users who are approaching the limit for failed attempts. If
the Account Never Expires option is checked (enabled) for a specific administrator, this option is
Step 3: Configure Session Policy
To configure session policy:
Step 1 On the Administration Control page, click Session Policy.
The Session Policy Setup page opens, as shown in Figure 5-3.