tacacs login problem

jefvaneijk · ‎03-17-2005

When i add a user, give him a password (change on logon) it works great. One of the problems is that when i get connected to a device in a other subnet there is also the question to change the password. Also afhter a day i can not login at all, need to reset the password.

Any one a hint?

Richard Burts · ‎03-17-2005

Do you have TACACS configured to expire passwords? And if so at what frequency? It sounds to me like the server is expiring the passwords very quickly.

HTH

Rick

HTH

Rick

jefvaneijk · ‎03-18-2005

Hi,

No i don't have set this, in every segment i must change the password when i logon for the first time, for example.

192.168.1.5 i login password change

On a other site 192.168.10.2 i must change my password again.

I am total confused with tacacs

i will explain more,

We have users set in groups in tacacs. Now a other problem is that on a new 2950 this user can not login with tacacs. I can (default group) en have done a little debug.

6d21h: AAA/ACCT/CMD: Found list "default"

6d21h: AAA/ACCT: user oeveladm, acct type 3 (4123458998): Method=tacacs+ (tacacs+)

6d21h: AAA/AUTHEN/CONT (4021965436): continue_login (user='nyates')

6d21h: AAA/AUTHEN (4021965436): status = GETPASS

6d21h: AAA/AUTHEN (4021965436): Method=tacacs+ (tacacs+)

6d21h: TAC+: send AUTHEN/CONT packet id=4021965436

6d21h: TAC+: (4123458998): received acct response status = SUCCESS

6d21h: TAC+: ver=192 id=4021965436 received AUTHEN status = FAIL

6d21h: AAA/AUTHEN (4021965436): status = FAIL

6d21h: tty4 AAA/DISC: 17/"User Error"

6d21h: tty4 AAA/DISC/EXT: 1025/"Password failure"

6d21h: AAA/MEMORY: free_user (0x80DC22DC) user='*****' ruser='' port='tty4' rem_addr='**.**.**.**' authen_type=ASCII service=LOGIN priv=1

6d21h: AAA: parse name=tty4 idb type=-1 tty=-1

6d21h: AAA: name=tty4 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=4 channel=0

6d21h: AAA/MEMORY: create_user (0x80DC22DC) user='' ruser='' port='tty4' rem_addr='**.**.**.**' authen_type=ASCII service=LOGIN priv=1

6d21h: AAA/AUTHEN/START (1734910692): port='tty4' list='' action=LOGIN service=LOGIN

6d21h: AAA/AUTHEN/START (1734910692): using "default" list

6d21h: AAA/AUTHEN/START (1734910692): Method=tacacs+ (tacacs+)

6d21h: TAC+: send AUTHEN/START packet ver=192 id=1734910692

6d21h: TAC+: ver=192 id=1734910692 received AUTHEN status = GETUSER

6d21h: AAA/AUTHEN (1734910692): status = GETUSER

6d21h: AAA/AUTHEN/CONT (1734910692): continue_login (user='(undef)')

6d21h: AAA/AUTHEN (1734910692): status = GETUSER

6d21h: AAA/AUTHEN (1734910692): Method=tacacs+ (tacacs+)

6d21h: TAC+: send AUTHEN/CONT packet id=1734910692

6d21h: TAC+: ver=192 id=1734910692 received AUTHEN status = GETPASS

6d21h: AAA/AUTHEN (1734910692): status = GETPASS

aaa new-model

aaa authentication login default group tacacs+ line

aaa authentication login no_tacacs enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

I can login, other users not

Next problem:

I have changed a hostname and ip adres from a switch also the user can not logged on anymore. (updated tacacs)