03-22-2012 06:46 PM - edited 03-10-2019 06:56 PM
When a new user is created with the "Must change password at next logon" check box ticked, ACS does not allow the user to change the password. The password prompt displays a message access denied. Could anyone point me in the right direction for fixing this issue?
I have created a new account on cisco ACS server and enable the Tick box "user must change the password at next logon".I then used ssh to test the newly created user account using putty. When i ssh to the cisco devices [either switch or router] the password prompt appears and ask me to type the new password. Once i did that i am getting a message access denied.
This worked fine with Secure CRT. But the users don't have secure CRT, they are supposed to use putty. Users can login into the devices using putty. The issue is only when we try to change the password.
ACS Version: ACS 4.0
Thanks
Nachi
Solved! Go to Solution.
05-27-2014 08:14 AM
When a user connects with SSH to the system and uses an expired TACACS password, they are prompted to change their password. However, this password change is not working correctly.
In order to fix this issue, you need to have SSH v2 with "Keyboard interactive" authentication for the SSH v2 set. Cisco bug ID CSCin91851 discusses this behavior.
Symptom:
When using the router as an ssh server authenticating to an SDI/radius backend, normal authentications work. However, neither the new PIN mode nor Next Token mode dialogues complete successfully.
Conditions:
Issue is only observed in New PIN mode or Next Token mode dialogue.
Specific to SSHv2
Workaround:
Use telnet for authentication or set vty lines to authenticate to Radius
(non-SDI) server instead.
Further Problem Description:
Not all ssh clients support the dialogue required for new pin mode or next token mode to work.
05-26-2014 07:11 AM
I have this exact problem with acs 5.3. If I find a solution I will let you know.
05-27-2014 08:14 AM
When a user connects with SSH to the system and uses an expired TACACS password, they are prompted to change their password. However, this password change is not working correctly.
In order to fix this issue, you need to have SSH v2 with "Keyboard interactive" authentication for the SSH v2 set. Cisco bug ID CSCin91851 discusses this behavior.
Symptom:
When using the router as an ssh server authenticating to an SDI/radius backend, normal authentications work. However, neither the new PIN mode nor Next Token mode dialogues complete successfully.
Conditions:
Issue is only observed in New PIN mode or Next Token mode dialogue.
Specific to SSHv2
Workaround:
Use telnet for authentication or set vty lines to authenticate to Radius
(non-SDI) server instead.
Further Problem Description:
Not all ssh clients support the dialogue required for new pin mode or next token mode to work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide