Password change from SSH in Cisco Secure ACS 4.1

CiscogeekIND · ‎12-10-2008

I am using cisco ACS for windows Release 4.1(1) Build 23 Patch 5.

I have enable password aging for 30 days. after 30 days it is prompting me to change the password while i telnet to any client. it is working fine.\

Recently we have disabled telnet in all network devices and using ssh instead of telnet.

Am not able to change the password from putty. same if i connect through the telnet it is prompting to change the password.

Because of this i am not able to access any network devices after 30 days.

Suggestions will be greatly appreciated.

Thanks in advance.

cisco24x7 · ‎12-10-2008

Went through this painful exercise a couple

weeks ago. You need to use the IOS 12.4

K9 image on the routers because password change

only supports on ssh version 2. See example

below:

[Expert@P1-NGx]# ssh -2 -l ngx1 192.168.15.248

ngx1@192.168.15.248's password:

Password change request

Enter ngx1@192.168.15.248's old password:

Enter ngx1@192.168.15.248's new password:

Retype ngx1@192.168.15.248's new password:

C3640>sh ver

Cisco IOS Software, 3600 Software (C3640-JK9O3S-M), Version 12.4(13a), RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Tue 06-Mar-07 20:25 by prod_rel_team

ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

C3640 uptime is 1 week, 5 days, 13 hours, 5 minutes

System returned to ROM by reload at 03:18:41 UTC Fri Nov 28 2008

System restarted at 03:20:58 UTC Fri Nov 28 2008

System image file is "flash:c3640-jk9o3s-mz.124-13a.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 3640 (R4700) processor (revision 0x00) with 98304K/32768K bytes of memory.

Processor board ID 24829119

R4700 CPU at 100MHz, Implementation 33, Rev 1.0

2 FastEthernet interfaces

4 Serial interfaces

1 HSSI interface

DRAM configuration is 64 bits wide with parity disabled.

125K bytes of NVRAM.

32768K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

C3640>

Easy right?

CiscogeekIND · ‎12-11-2008

First of all i would like to thak you for your reply.

Is there any cisco document suggesting this (before 12.4 IOS doesn't support SSH password change )? If so can you please provide me the link, so that i can show the proof to my management.

Thanks

cisco24x7 · ‎12-11-2008

This comes directly from Cisco TAC. Cisco TAC

is the best in the business, bar none. IOS

12.3T, if I understand it, is equivalent to

IOS 12.4 main line. Here is Cisco TAC

response below:

-----

Password change is supported by SSHv2. SSHv1 doesn't support the necessary message types to initiate a password change sequence.

The issue you are facing is another known bug apart from the bug I provided earlier â€œCSCdy54970â€. Here is the new bug id: CSCin91851

Only the very latest versions of IOS code (K9 image) on the routers support SSHv2.

In the mean time, I am sending you one link regarding SSHv2 and supported IOS

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ssh2.html#wp1053732

----