Starting with Cisco Secure ACS for Windows Server version 3.2,
system administrators can enable User-Changeable Password (UCP)
. UCP is an
application that enables users to change their Cisco Secure ACS passwords with
a web-based utility. A web server that runs Microsoft Internet Information
Server (IIS) 5.0 or later is required to install UCP.
When users need to
change passwords, they can access the UCP server web page using a supported web
browser. The UCP web page requires users to log in. The password required is
the PAP password for the user account. UCP authenticates the user with Cisco
Secure ACS and then allows the user to specify a new password. UCP changes both
the PAP and CHAP passwords for the user to the password submitted.
Communication between the UCP server and the Cisco Secure ACS system is
protected with 128-bit encryption. To further increase security, it is
recommended to implement SSL to protect communication between user web browsers
and the UCP server.
The SSL protocol provides security for remote access
data transfer between the UCP web server and the user's web browser.
Because users change their Cisco Secure ACS database passwords over a
connection between their web browsers and Microsoft IIS, user and password data
is vulnerable. The SSL protocol encrypts data transfers, including passwords,
between web browsers and Microsoft IIS.