Introduction
This procedure will explain how to change the password for a telnet admin session on the ASA platform using Cisco ACS TACACS server.
Note: Password change for SSH and ASDM admin sessions are not supported.
Configuration on ASA
1. Define the TACACS aaa-server
5580-20-1(config)# show runn aaa-server TACACS17 aaa-server TACACS17 protocol tacacs+ aaa-server TACACS17 (inside) host 10.148.1.17 key cisco 5580-20-1(config)#
2. Define the administrative authentication type for telnet
5580-20-1(config)# show runn aaa aaa authentication telnet console TACACS17 5580-20-1(config)#
ACS/TACACS server Configuration
1. Under Interface-TACSACS(Cisco IOS) go to Advanced Configuration Options
2. Check the Advanced TACACS+ Feautures option
3. Under Group go to Password Aging Rules section and check Apply password change rule
4. Under User go to TACACS+ Enable PAssword secion and check Use Cisco PAP Password
5. Under System Configuration select Local Password Management and set a proper policy
Telnet Session Password Change
Here is the expected behavior.
Syslogs for exchange
%ASA-6-113010: AAA challenge received for user telnet1 from server mcs-ibm3.
%ASA-6-113004: AAA user authentication Successful : server = mcs-ibm3 : user = telnet1