Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS TACACS+ Password Aging with CiscoWorks stations

I run an ACS 3.2 Windows server to authenticate access to switches , routers & CiscoWorks stations (both LMS & ITM).

I use as well "password aging" on all my users.

The authentication itself works fine with any equipments (switches, routers , CiscoWorks)

About the password aging , when a password is expired, authentication is refused normally on any equipments (Sw, RTRs, CiscoWks)

But the password changing procedure works fine only with switches & routers and not with CiscoWorks.

The warning messages during the warning period are displayed only with switches & routers and not on Ciscoworks stations. (warning messages are messages such as = "your password will expire in 3 logins)

As well, the chpass procedure (change password procedure) works only on switches & routers, noton CiscoWorks.

It seems that Ciscoworks stations implement only a restricted set of the TACACS+ protocol, limiting it

to users authentication only. Can anybody confirm ?


New Member

Re: ACS TACACS+ Password Aging with CiscoWorks stations

We just ran into the same issue as I had just recently deployed CiscoWorks and TACACS. There are some serious limitations to authenticating CiscoWorks on TACACS. Primarily that CiscoWorks will not recognize or use any of the TACACS authorization levels. Basically if you authenticate CiscoWorks with TACACS the only access level you can get is Guest, which really doesn't allow you to do anything. The only way to get anything higher is to create local CiscoWorks ID's. When I first saw the ability to authenticate CiscoWorks on TACACS I was thrilled to have a central network managemenet password server, however like you found out it really does not do anything for you... We are trying to get Cisco to develop this concept further becuase it is a great idea.. Hope this helps but I think you found out everything I told you already.

New Member

Re: ACS TACACS+ Password Aging with CiscoWorks stations

We notice the same problem here too!

We have network admin access managed by ACS. I tried to enable the TACACS+ module of Ciscowork but I only have help desk privilege when admin log in.

Is that a limitation of Ciscowork or a config I am missing?

The workaround is the same as you. I need to create all network admin in Ciscowork locally.

I can`t believe cisco didn`t implement roles level for tacacs+ users. Not very usefull in the way it is right now.


New Member

Re: ACS TACACS+ Password Aging with CiscoWorks stations

Yes this is a limitation of ciscoWorks.

As well as the management of "Password Aging".

If you want to get a higher level than HD (HelpDesk)

on LMS, you have to define your users on your ACS server, and then to define the exactly same users again on CiscoWorks to map them with some higher permissions such as NA (network administrator) or AP (approver).

About Password Aging, I opened a ticket to the Technical Assistance Center & they confirmed me, this

feature is not supported by CiscoWorks stations.