Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2260
Views
0
Helpful
4
Replies

nexus aaa - Change password on next login

Go to solution
luke.brooker1
Level 1
Level 1

‎11-20-2018 04:35 PM

Hi - i have a number of cisco Nexus 5596 chassis' in our network, i have a need for users to set their own password by using the 'Change password on next login'   feature in Cisco ACS (Version : 5.4.0.46.0a - yes i know its old). 

 

On our non-nexus devices this works fine, but the aaa/tacacs config on our Nexus switches doesn't allow this password change to happen, and in fact, if the change password box is ticked in ACS, login fails for that user on the nexus devices only. If the user logs into an IOS switch, they are prompted to update their password as expected.

 

Any suggestion on what aaa config line(s) i would need to make this work, i have been doing some testing but unable to come up with a working config.

 

(nexus - 9.7.0.8.N1.1.bin)

 

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mojafri
Cisco Employee
Cisco Employee

‎11-20-2018 06:22 PM

Hi @luke.brooker1,

 

You might need  'aaa authentication login ascii-authentication' on N5K side. IOS works differently. 

 

Please rate if you find it helpful. 

 

Regards,

MJ

View solution in original post

0 Helpful
4 Replies 4

Go to solution
mojafri
Cisco Employee
Cisco Employee

‎11-20-2018 06:19 PM

Hi @luke.brooker1,

 

You might need  'aaa authentication login ascii-authentication' on N5K side. IOS works differently. 

 

Please rate if you find it helpful. 

 

Regards,

MJ

0 Helpful

Go to solution
mojafri
Cisco Employee
Cisco Employee

‎11-20-2018 06:22 PM

Hi @luke.brooker1,

 

You might need  'aaa authentication login ascii-authentication' on N5K side. IOS works differently. 

 

Please rate if you find it helpful. 

 

Regards,

MJ

0 Helpful

Go to solution
luke.brooker1
Level 1
Level 1
In response to mojafri

‎11-20-2018 07:07 PM

Thanks - that resolved the issue;

 

login: <username>
Password:
Enter new password:
Enter new password confirmation:

Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac

 

Is there some document i could read to understand how / why that has fixed the problem? Just for my own understanding on the topic.

 

Much appreciated.

 

Thanks,

 

0 Helpful

Go to solution
mojafri
Cisco Employee
Cisco Employee
In response to luke.brooker1

‎11-21-2018 07:29 AM

Hi @luke.brooker1,

Its actually a limitation of PAP auth protocol. If you go through the RFC for PAP ( http://tools.ietf.org/html/rfc1334#section-2), server isn't allowed to send any challenges to the client. It's either yes or no. With the ASCII authentication enabled, the server can say 'Yes, the user authenticated, however he has to change his passwords.'

 

On packet level, client is supposed to send username/password in single START packet and server reply with single REPLY packet containing PASS/FAIL status. Only in case of ASCII authentication, the server can prompt for username and/or password in one or multiple REPLY packets. NX-OS has PAP enabled by default and in IOS its ASCII with PAP by default. 

 

Hope this helps! 

 

Regards,

MJ

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card