Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1164
Views
2
Helpful
5
Replies

Enabling Password Change Control for RADIUS/TACACS

Nerd_Herd
Level 1
Level 1

‎02-29-2024 01:45 PM

I have settings enabled for Active Directory users to change their password if its expired. I was able to successfully test it on two Cisco C8500-12x's with TACACS. I have not been able to get it to work on Arista, Palo Alto, or other Cisco devices using RADIUS or TACACS. There was nothing special in the AAA configs on the C8500-12x. Is there a guide that goes in to specifics for configuring this setting?

5 Replies 5

Arne Bier
VIP
VIP

‎02-29-2024 04:41 PM

I have also only ever used this with Cisco IOS devices when they are configured with AAA using TACACS+.  

I believe in the RADIUS world, if you're still using EAP-PEAP MSCHAPv2, then you can change your password via the login dialogue of your Windows/iOS/Android supplicant. But I have never tried that. MSCHAPv2 is dying off slowly and so are username and passwords. 

Nerd_Herd
Level 1
Level 1
In response to Arne Bier

‎03-07-2024 08:09 AM

We don't plan on using RADIUS in prod so its not that big of a deal. Is there a standard Cisco config though to get it to work?

0 Helpful

Arne Bier
VIP
VIP
In response to Nerd_Herd

‎03-07-2024 12:32 PM

Password change during a telnet/ssh session over TACACS+ does not require any special IOS configuration commands. The feature is enabled on the TACACS+ server.

In ISE it's configured as below - don't worry about the "telnet" wording below - it also works with SSH!

ArneBier_0-1709842826937.png

Once enabled, you telnet/ssh to the network device, and enter the username. When prompted for the password, press Enter.

ArneBier_3-1709843138869.png

In my case I used an ISE Internet Network Access User account. But I believe this will work with an AD account as well.

 

 

 

0 Helpful

MHM Cisco World
VIP
VIP

‎02-29-2024 10:31 PM

Share config let me check 

MHM

0 Helpful

Nerd_Herd
Level 1
Level 1
In response to MHM Cisco World

‎03-07-2024 08:40 AM

tacacs-server host x.x.0.22 vrf NDPMGMT11008 key 7 06571E20560F38rgt383F450518142rr41D181C
tacacs-server host x.x.0.23 vrf NDPMGMT11008 key 7 06571E20560F38383dssF450518142rr41D181C
aaa group server tacacs+ ndpt-ise-servers
server x.x.0.22 vrf NDPMGMT11008
server x.x.0.23 vrf NDPMGMT11008
aaa authentication login default group tacacs+ group ndpt-ise-servers local
aaa authentication login console group tacacs+ group ndpt-ise-servers local
aaa authorization exec default group tacacs+ group ndpt-ise-servers local
aaa authorization commands all default group tacacs+ group ndpt-ise-servers local

0 Helpful
Customers Also Viewed These Support Documents