Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3254
Views
0
Helpful
0
Comments

TACACS+ password aging does not work with SSH on a Cisco router with Cisco IOS 12.0

TCC_2
Level 10
Level 10

‎06-22-2009 06:17 PM - edited ‎03-08-2019 06:28 PM

Core issue

Secure Shell (SSH) does not support the password change feature before expiry for users that employ TACACS+ authentication. The feature does work for expired passwords because it can trigger a password change sequence at that point.

Use Telnet if a password must be changed before expiry.

Resolution

The password change feature (before expiry) for TACACS+ users is incorporated in SSHv2. In SSHv2, SSH_MSG_USERAUTH_PASSWD_CHANGEREQ permits this functionality.

To resolve this issue, verify the version of the Cisco IOS image running on the Cisco IOS device. SSHv2 is integrated in these Cisco IOS images:

  • 12.2(25)S06        
  • 12.2(18)SXE        
  • 12.1(22)EA03        
  • 12.2(25)SEB        
  • 12.2(25)SEA        
  • 12.2(27.07)S        
  • 12.3(10.01)T and onwards        

For more information, refer to Secure Shell Version 2 support in Cisco IOS Software Release 12.4

Problem Type

Password recovery

Troubleshoot software feature

Product Family

Routers

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents