Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4020
Views
5
Helpful
2
Replies

Putty and ACS server password change issue

Go to solution
Nachiappan Nachiappan
Level 1
Level 1

‎03-22-2012 06:46 PM - edited ‎03-10-2019 06:56 PM

When a new user is created with the "Must change password at next logon" check box ticked, ACS does not allow the user to change the password.  The password prompt displays a message access denied. Could anyone point me in the right direction for fixing this issue?

I have created a new account on cisco ACS server and enable the Tick box "user must change the password at next logon".I then used ssh to test the newly created user account using putty. When i ssh to the cisco devices [either switch or router] the password prompt appears and ask me to type the new password. Once i did that i am getting a message access denied.

This worked fine with Secure CRT. But the users don't have secure CRT, they are supposed to use putty. Users can login into the devices using putty. The issue is only when we try to change the password.

ACS Version: ACS 4.0

Thanks

Nachi

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎05-27-2014 08:14 AM

 

When a user connects with SSH to the system and uses an expired TACACS password, they are prompted to change their password. However, this password change is not working correctly.

In order to fix this issue, you need to have SSH v2 with "Keyboard interactive" authentication for the SSH v2 set. Cisco bug ID CSCin91851  discusses this behavior.

Symptom:

When using the router as an ssh server authenticating to an SDI/radius backend, normal authentications work. However, neither the new PIN mode nor Next Token mode dialogues complete successfully.

Conditions:

Issue is only observed in New PIN mode or Next Token mode dialogue.
Specific to SSHv2

Workaround:

Use telnet for authentication or set vty lines to authenticate to Radius
(non-SDI) server instead.

Further Problem Description:

Not all ssh clients support the dialogue required for new pin mode or next token mode to work.
 

View solution in original post

2 Replies 2

Go to solution
joelgooding
Level 1
Level 1

‎05-26-2014 07:11 AM

I have this exact problem with acs 5.3. If I find a solution I will let you know.

Joel _______________________________ Please rate helpful posts and answered questions!
0 Helpful

Go to solution
mohanak
Cisco Employee
Cisco Employee

‎05-27-2014 08:14 AM

 

When a user connects with SSH to the system and uses an expired TACACS password, they are prompted to change their password. However, this password change is not working correctly.

In order to fix this issue, you need to have SSH v2 with "Keyboard interactive" authentication for the SSH v2 set. Cisco bug ID CSCin91851  discusses this behavior.

Symptom:

When using the router as an ssh server authenticating to an SDI/radius backend, normal authentications work. However, neither the new PIN mode nor Next Token mode dialogues complete successfully.

Conditions:

Issue is only observed in New PIN mode or Next Token mode dialogue.
Specific to SSHv2

Workaround:

Use telnet for authentication or set vty lines to authenticate to Radius
(non-SDI) server instead.

Further Problem Description:

Not all ssh clients support the dialogue required for new pin mode or next token mode to work.
 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents