Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1035
Views
0
Helpful
4
Replies

ACS 5.1 - Password aging problem....again.

jchristvnet
Level 1
Level 1

‎11-09-2010 04:22 AM - edited ‎03-10-2019 05:33 PM

Hi,

To be precise I am using the ACS version 5.1.0.44.4.

My AAA client are IOS 15.0.1 (M2) for the router and 12.2.52 (SE) for the switch

The main issue is to

- Send a message to the end-user that his password is about to expire

- Give the tool to the user to actually change his password.

I have configured the AAA server using TACACS+ to warn the user before their password will time-out.

I have observed the following:

- If the user SSH to the AAA  client directly as enable (priv-level = 15) - No warning are shown about  the password expiring date.

- If the user SSH to the AAA client  directly with priv-level = 1, and then re-authenticate to become enable,  only then a warning message is displayed.

- If we say that P1 is the password to authenticate and get the  privilege level 1 and P2 the password to, then, become enable, I have  seen that:

* The warning message concerns only P1

* There  is no way to know how old is P2

* There is no way to enforce P2 to actually be changed.

- Ticking or not the "TACACS Enable Password" does help in anyway since there is no expiring-date field added to it.

-  Finally, I do not tick the "TACACS Enable Password" meaning that the  user has only one password P1 stored in the ACS, I then did the  following test:

* connection via ssh to the aaa client.

* I authenticate using P1

* I am granted priv-15, as per my ACS rules in place

* Then, type "disable" and "enable"

* At the prompt asking for password, I write nothing and press enter, the AAA client asks then for the old and new password

* The last action just created an additional password P2, which is not identical to P1

So, we just loose synchronization.

The only work around so far is to:

- Log in with privilege level 15,

- Not ticking "TACACS Enable Password"

- Use P1 to become Level15 directly, since only P1 can have a timestamp

- Send a password warning by e-mail to an admin, when an account is about to expire. (that last part is not clear yet)

Any suggestion would be welcome.

Thank you,

Christophe

Labels:
0 Helpful
4 Replies 4

Javier Henderson
Level 4
Level 4

‎11-09-2010 08:48 AM

What is your SSH client?

0 Helpful

Yudong Wu
Level 7
Level 7
In response to Javier Henderson

‎11-09-2010 11:21 AM

If I remember correctly, TACACS+ changing password feature is only support on Telnet session. SSH might or might not work.

0 Helpful

Javier Henderson
Level 4
Level 4
In response to Yudong Wu

‎11-09-2010 11:23 AM

It works if the version of IOS supports it and the SSH client supports keyboard interactive, and that method is tried first (some clients, for example SecureCRT, have Password as the first method by default).

0 Helpful

jchristvnet
Level 1
Level 1
In response to Javier Henderson

‎11-10-2010 02:48 AM

Hi,

Thank you for your answers.

From the ouput I have attached, you can see the the ssh client (putty version 0.60) and supports keyboard interactive.

Christophe

Preview file
16 KB
0 Helpful
Customers Also Viewed These Support Documents