12-31-2012 03:37 AM - edited 03-10-2019 07:55 PM
Hi All
I seem to be getting this diagnostic message for one of my usernames --
TACACS+ authentication request switches from Login to Change Password functionality.
Now i cant see if this has a session limit or timer on it .
There doesnt seem to be one set but this is causing a lot of AA error messages.
Has anyone any idea of how I can set the password configuration for thus user so that
this doesnt happen.
Its almost certainly an ACS issue but i just dont know where the appropriate settings are
Thanks
Steve
12-31-2012 04:44 AM
Steve,
Can you post a screenshot of where you are seeing the error message? Is this on the ACS or the network devices? I know if you hit the enter key with a blank password that you will be prompted to change your password is this when you are experiencing this message?
thanks
Sent from Cisco Technical Support iPad App
12-31-2012 06:08 AM
Hi Tarik
Cant seem to get my screenshot to display
Anyway i see it from my ACS Monitoring and
Reports -
AAA Protocol > AAA Diagnostics
| ||||||
Generated on December 31, 2012 11:27:46 AM GMT |
Dec 31,12 6:23:17.850 AM | Dec 31,12 6:23:17.823 AM | lon-inf-lacs01/142119818/778063 | WARN | TACACS+ authentication request switches from Login to Change Password functionality. | CSCOacs_TACACS_Diagnostics | 13041 |
Thanks for getting back to me
Steve
12-31-2012 03:31 PM
In the error logs are you seeing this with every tacacs authentication requests? Do you see the same issue when you login to the devices yourself? Is there a tool ie Prime or CiscoWorks that is causing these messages?
Thanks,
Sent from Cisco Technical Support iPad App
01-02-2013 12:41 AM
Hi Tarik
Its only this user and it is coming from cisco prime - i didnt set this user up unfortunately.
I was just wondering where the settings might be to address this.
If i log in using my AD account i dont see this issue.
This user is not an AD user but an internal identity store user.
Maybe there is a setting for these on ACS to stop this happening but i cannot find it !
Steve
01-02-2013 12:45 AM
If this device is using tacacs you may want to span the port that the prime is on and decrypt the payload using wireshark (you can set the shared secret in the preferences option under the tacacs protocol when looking at the packet capture). I wonder if the prime application is sending a leading
Thanks,
Tarik Admani
*Please rate helpful posts*
01-16-2013 01:14 AM
Hi,
I am facing the same error on ACS 5.3. Actually the TACACS+ user(created in local identity store e.g. user-1) tried to login on one of the device(e.g. SW-1) it failed, on the ACS we got following logs.
tacacs+ authentication request switches from login to change password functionality
When the same user(user-1) tried to login on a different device (e.g. SW-2) that was successfull. We tried again to login on the previous device(SW-1) ACS reported the same error.
As a workaround what we did is a password reset for user-1 and afterwards we were able to login on SW-1.
Seems to be strange behaviour on ACS. Couldn't find any bug related to this behaviour.
Regards,
Akhtar
01-16-2013 02:47 AM
There are some fixes that are included in patches for ACS 5.3.
While I can't find an exact match I can find some that may be close:
CSCtz42111: Password expiry timer is not replicated after password change using T+
CSCtu21456 ACS 5 intermittently password change is not working in on secondary ACS
These are both included in patch 5 for ACS 5.3.
So you may consider installing patch 5 or the latest cummulative patch for ACS 5.3 which is patch 8
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide