Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Putty and ACS server password change issue

When a new user is created with the "Must change password at next logon" check box ticked, ACS does not allow the user to change the password.  The password prompt displays a message access denied. Could anyone point me in the right direction for fixing this issue?

I have created a new account on cisco ACS server and enable the Tick box "user must change the password at next logon".I then used ssh to test the newly created user account using putty. When i ssh to the cisco devices [either switch or router] the password prompt appears and ask me to type the new password. Once i did that i am getting a message access denied.

This worked fine with Secure CRT. But the users don't have secure CRT, they are supposed to use putty. Users can login into the devices using putty. The issue is only when we try to change the password.

ACS Version: ACS 4.0

Thanks

Nachi

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

 When a user connects with

 

When a user connects with SSH to the system and uses an expired TACACS password, they are prompted to change their password. However, this password change is not working correctly.

In order to fix this issue, you need to have SSH v2 with "Keyboard interactive" authentication for the SSH v2 set. Cisco bug ID CSCin91851  discusses this behavior.

Symptom:

When using the router as an ssh server authenticating to an SDI/radius backend, normal authentications work. However, neither the new PIN mode nor Next Token mode dialogues complete successfully.

Conditions:

Issue is only observed in New PIN mode or Next Token mode dialogue.
Specific to SSHv2

Workaround:

Use telnet for authentication or set vty lines to authenticate to Radius
(non-SDI) server instead.

Further Problem Description:

Not all ssh clients support the dialogue required for new pin mode or next token mode to work.

 

2 REPLIES
New Member

I have this exact problem

I have this exact problem with acs 5.3. If I find a solution I will let you know.

Joel _______________________________ Please rate helpful posts and answered questions!
Gold

 When a user connects with

 

When a user connects with SSH to the system and uses an expired TACACS password, they are prompted to change their password. However, this password change is not working correctly.

In order to fix this issue, you need to have SSH v2 with "Keyboard interactive" authentication for the SSH v2 set. Cisco bug ID CSCin91851  discusses this behavior.

Symptom:

When using the router as an ssh server authenticating to an SDI/radius backend, normal authentications work. However, neither the new PIN mode nor Next Token mode dialogues complete successfully.

Conditions:

Issue is only observed in New PIN mode or Next Token mode dialogue.
Specific to SSHv2

Workaround:

Use telnet for authentication or set vty lines to authenticate to Radius
(non-SDI) server instead.

Further Problem Description:

Not all ssh clients support the dialogue required for new pin mode or next token mode to work.

 

1214
Views
5
Helpful
2
Replies