Change Password functionality on ACS 5.3

steve switzer · ‎12-31-2012

Hi All

I seem to be getting this diagnostic message for one of my usernames --

TACACS+ authentication request switches from Login to Change Password functionality.

Now i cant see if this has a session limit or timer on it .

There doesnt seem to be one set but this is causing a lot of AA error messages.

Has anyone any idea of how I can set the password configuration for thus user so that

this doesnt happen.

Its almost certainly an ACS issue but i just dont know where the appropriate settings are

Thanks

Steve

Tarik Admani · ‎12-31-2012

Steve,

Can you post a screenshot of where you are seeing the error message? Is this on the ACS or the network devices? I know if you hit the enter key with a blank password that you will be prompted to change your password is this when you are experiencing this message?

thanks

Sent from Cisco Technical Support iPad App

steve switzer · ‎12-31-2012

Hi Tarik

Cant seem to get my screenshot to display

Anyway i see it from my ACS Monitoring and

Reports -

AAA Protocol > AAA Diagnostics

Severity:	DEBUG
ACS Session ID:	lon-inf-lacs01/142119818/778063
Date:	December 31, 2012

Generated on December 31, 2012 11:27:46 AM GMT

Dec 31,12 6:23:17.850 AM

Dec 31,12 6:23:17.823 AM

lon-inf-lacs01/142119818/778063

WARN

TACACS+ authentication request switches from Login to Change Password functionality.

CSCOacs_TACACS_Diagnostics

13041

Thanks for getting back to me

Steve

Tarik Admani · ‎12-31-2012

In the error logs are you seeing this with every tacacs authentication requests? Do you see the same issue when you login to the devices yourself? Is there a tool ie Prime or CiscoWorks that is causing these messages?

Thanks,

Sent from Cisco Technical Support iPad App

steve switzer · ‎01-02-2013

Hi Tarik

Its only this user and it is coming from cisco prime - i didnt set this user up unfortunately.

I was just wondering where the settings might be to address this.

If i log in using my AD account i dont see this issue.

This user is not an AD user but an internal identity store user.

Maybe there is a setting for these on ACS to stop this happening but i cannot find it !

Steve

Tarik Admani · ‎01-02-2013

If this device is using tacacs you may want to span the port that the prime is on and decrypt the payload using wireshark (you can set the shared secret in the preferences option under the tacacs protocol when looking at the packet capture). I wonder if the prime application is sending a leading which is triggering the password change, and then the password gets changed? You can also try debugging the runtime component on ACS and downloading the support bundle. Let me know if you would like directions to see if you want to look there.

Thanks,

Tarik Admani
*Please rate helpful posts*

Akhtar Samo · ‎01-16-2013

Hi,

I am facing the same error on ACS 5.3. Actually the TACACS+ user(created in local identity store e.g. user-1) tried to login on one of the device(e.g. SW-1) it failed, on the ACS we got following logs.

tacacs+ authentication request switches from login to change password functionality

When the same user(user-1) tried to login on a different device (e.g. SW-2) that was successfull. We tried again to login on the previous device(SW-1) ACS reported the same error.

As a workaround what we did is a password reset for user-1 and afterwards we were able to login on SW-1.

Seems to be strange behaviour on ACS. Couldn't find any bug related to this behaviour.

Regards,

Akhtar

jrabinow · ‎01-16-2013

There are some fixes that are included in patches for ACS 5.3.

While I can't find an exact match I can find some that may be close:

CSCtz42111: Password expiry timer is not replicated after password change using T+

CSCtu21456 ACS 5 intermittently password change is not working in on secondary ACS

These are both included in patch 5 for ACS 5.3.

So you may consider installing patch 5 or the latest cummulative patch for ACS 5.3 which is patch 8