13041 TACACS+ authentication request switches from Login to Change Password functionality.

ranemilind · ‎09-12-2010

Hi Team,

I am not able to change password on ACS clients in next log on.

on ACS 5.1 getting below message.

Even i selected "Changed Password on Next Login"

ACS Logs given..

Status:	Failed
Failure Reason:	13041 TACACS+ authentication request switches from Login to Change Password functionality.
Logged At:	Sep 13, 2010 9:48 AM
ACS Time:	Sep 13, 2010 9:48 AM
ACS Instance:	ACS-PRI

Authentication Result
Type=Authentication Authen-Reply-Status=Fail Server-Msg=As per GSD setting telnet not used for TML CEP devices.

Steps
Received TACACS+ Authentication START Request
Evaluating Service Selection Policy
Matched rule
Selected Access Service - Default Device Admin
Evaluating Identity Policy
Matched Default Rule
Selected Identity Store -
Current Identity Store does not support the authentication method; Skipping it.
TACACS+ will use the password prompt from global TACACS+ configuration.
Returned TACACS+ Authentication Reply
Received TACACS+ Authentication CONTINUE Request
Using previously selected Access Service
TACACS+ authentication request switches from Login to Change Password functionality.
TACACS+ ASCII change password request.
Returned TACACS+ Authentication Reply

Regards

Milind Rane

Waris Hussain · ‎09-13-2010

Hi ,

Are you using ACS5.0 is yes then there is feature limitation on that code, this feature is supported in ACS 5.1

Here is the feature request : CSCtc31598

Symptom:

The "user must change password on next login" feature for TACACS+ authentication for users defined in the local ACS store does not work.

If set, users will fail to login

Workaround:

none


Thanks 
Waris Hussain.