10-17-2008 08:46 AM - edited 03-10-2019 04:08 PM
Has anybody been able to change their credentials' password when AAA is done via TACACS and tagged to change their password at first login while accessing the network device through SSH?
It works wonderful with telnet...
10-18-2008 07:07 PM
Make sure you are not encountering any of the following defect,
CSCdy54970 & CSCin91851
Regards,
Prem
10-20-2008 04:28 AM
These 2 defects are not accessible to non-Cisco personel. Can you paste the content in this post? Tx.
10-20-2008 04:37 AM
You need to have a CCO account for the same, its customer visible,
CSCeh76733
CS Password Expire, SSH, Apply Aging Rules
Symptom: Is getting CS Password Expired, using SSH for initial login. Conditions: Password Aging under group setup is set to Apply password change rule. User tried to login with SSH the first time after the admin sets the password. Workaround: None known at this time.
Fixed-In
12.1(22)EA3
12.2(18)SXE
12.2(25)S6
12.2(25)SEA
12.2(25)SEB
12.2(27.7)S
12.3(10.1)T
CSCin91851 Bug Details
Support keyboard-interactive authentication method
Symptom:
When using the router as an ssh server authenticating to an SDI/radius backend, normal authentications work. However, neither the new PIN mode nor Next Token mode dialogues complete successfully.
Conditions:
Issue is only observed in New PIN mode or Next Token mode dialogue.
Specific to SSHv2
Workaround:
Use telnet for authentication or set vty lines to authenticate to Radius
(non-SDI) server instead.
Further Problem Description:
Not all ssh clients support the dialogue required for new pin mode or next token mode to work.
In those that do, for new PIN mode the symptoms are seen as follows:
The user is prompted for a password. The password is entered and is verified. At this point the user is prompted to enter a new PIN. The PIN is taken and appears to be accepted - user is then prompted for password using the new PIN.
"Note: Fix for 12.2(18)SXF and 12.2(33)SXH is worked under a separate bug id.".
Fixed-In
12.4(10.1)T
12.4(17.9)M
12.2(32.8.11)SX142
12.2(33.1.10)SXH
12.4(13f)M
12.2(33)SXH2
12.2(32.8.11)XJC153.1
Regards,
Prem
10-20-2008 06:32 AM
The OS are fine. We are using VanDyke SCRT client to connect. I am validating from that end as well. And I am using the workaround in CSCin91851 in the meantime.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide