Cisco Support Community
Community Member

ACS 5.1 - Password aging problem....again.


To be precise I am using the ACS version

My AAA client are IOS 15.0.1 (M2) for the router and 12.2.52 (SE) for the switch

The main issue is to

- Send a message to the end-user that his password is about to expire

- Give the tool to the user to actually change his password.

I have configured the AAA server using TACACS+ to warn the user before their password will time-out.

I have observed the following:

- If the user SSH to the AAA  client directly as enable (priv-level = 15) - No warning are shown about  the password expiring date.

- If the user SSH to the AAA client  directly with priv-level = 1, and then re-authenticate to become enable,  only then a warning message is displayed.

- If we say that P1 is the password to authenticate and get the  privilege level 1 and P2 the password to, then, become enable, I have  seen that:

* The warning message concerns only P1

* There  is no way to know how old is P2

* There is no way to enforce P2 to actually be changed.

- Ticking or not the "TACACS Enable Password" does help in anyway since there is no expiring-date field added to it.

-  Finally, I do not tick the "TACACS Enable Password" meaning that the  user has only one password P1 stored in the ACS, I then did the  following test:

* connection via ssh to the aaa client.

* I authenticate using P1

* I am granted priv-15, as per my ACS rules in place

* Then, type "disable" and "enable"

* At the prompt asking for password, I write nothing and press enter, the AAA client asks then for the old and new password

* The last action just created an additional password P2, which is not identical to P1

So, we just loose synchronization.

The only work around so far is to:

- Log in with privilege level 15,

- Not ticking "TACACS Enable Password"

- Use P1 to become Level15 directly, since only P1 can have a timestamp

- Send a password warning by e-mail to an admin, when an account is about to expire. (that last part is not clear yet)

Any suggestion would be welcome.

Thank you,



Re: ACS 5.1 - Password aging problem....again.

What is your SSH client?

Re: ACS 5.1 - Password aging problem....again.

If I remember correctly, TACACS+ changing password feature is only support on Telnet session. SSH might or might not work.

Re: ACS 5.1 - Password aging problem....again.

It works if the version of IOS supports it and the SSH client supports keyboard interactive, and that method is tried first (some clients, for example SecureCRT, have Password as the first method by default).

Community Member

Re: ACS 5.1 - Password aging problem....again.


Thank you for your answers.

From the ouput I have attached, you can see the the ssh client (putty version 0.60) and supports keyboard interactive.


CreatePlease to create content