[c-nsp] ACS, TACACS+ and expired accounts

[Tim Franklin]

Hi all,

I'm having some problems with ACS and expired passwords, using TACACS+ for
AAA of shell sessions on routers.

Looking in the ACS GUI, I can see my test account has expired, but I can
still log on to any routers, and I don't get any kind of warning message
either to change my password or that it's expired and I can't log in.

I'm running with telnet password changes (chpass) disabled, but I've tried
switching it back on, and it doesn't seem to change anything.  I've got on
the router:

aaa authentication login default group tacacs+ local
aaa authentication login test group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization commands 15 test group tacacs+ local
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

(with appropriate TACACS servers / keys / source-interface defined)

Is there something else I'm missing to get these expiry messages back to
the router?  I'm sure I've had the above config working in a previous life
- but that was with 2.x on Solaris, and I'm now 4.1 on appliances.

TIA,
Tim.