Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

TACACS user account change at 1st login while using SSH

Has anybody been able to change their credentials' password when AAA is done via TACACS and tagged to change their password at first login while accessing the network device through SSH?

It works wonderful with telnet...

4 REPLIES

Re: TACACS user account change at 1st login while using SSH

Make sure you are not encountering any of the following defect,

CSCdy54970 & CSCin91851

Regards,

Prem

Community Member

Re: TACACS user account change at 1st login while using SSH

These 2 defects are not accessible to non-Cisco personel. Can you paste the content in this post? Tx.

Re: TACACS user account change at 1st login while using SSH

You need to have a CCO account for the same, its customer visible,

CSCeh76733

CS Password Expire, SSH, Apply Aging Rules

Symptom: Is getting CS Password Expired, using SSH for initial login. Conditions: Password Aging under group setup is set to Apply password change rule. User tried to login with SSH the first time after the admin sets the password. Workaround: None known at this time.

Fixed-In

12.1(22)EA3

12.2(18)SXE

12.2(25)S6

12.2(25)SEA

12.2(25)SEB

12.2(27.7)S

12.3(10.1)T

CSCin91851 Bug Details

Support keyboard-interactive authentication method

Symptom:

When using the router as an ssh server authenticating to an SDI/radius backend, normal authentications work. However, neither the new PIN mode nor Next Token mode dialogues complete successfully.

Conditions:

Issue is only observed in New PIN mode or Next Token mode dialogue.

Specific to SSHv2

Workaround:

Use telnet for authentication or set vty lines to authenticate to Radius

(non-SDI) server instead.

Further Problem Description:

Not all ssh clients support the dialogue required for new pin mode or next token mode to work.

In those that do, for new PIN mode the symptoms are seen as follows:

The user is prompted for a password. The password is entered and is verified. At this point the user is prompted to enter a new PIN. The PIN is taken and appears to be accepted - user is then prompted for password using the new PIN.

"Note: Fix for 12.2(18)SXF and 12.2(33)SXH is worked under a separate bug id.".

Fixed-In

12.4(10.1)T

12.4(17.9)M

12.2(32.8.11)SX142

12.2(33.1.10)SXH

12.4(13f)M

12.2(33)SXH2

12.2(32.8.11)XJC153.1

Regards,

Prem

Community Member

Re: TACACS user account change at 1st login while using SSH

The OS are fine. We are using VanDyke SCRT client to connect. I am validating from that end as well. And I am using the workaround in CSCin91851 in the meantime.

407
Views
0
Helpful
4
Replies
CreatePlease to create content