[c-nsp] ACS, TACACS+ and expired accounts
Tim Franklin
tim at pelican.org
Wed Sep 26 10:14:16 EDT 2007
Hi all,
I'm having some problems with ACS and expired passwords, using TACACS+ for
AAA of shell sessions on routers.
Looking in the ACS GUI, I can see my test account has expired, but I can
still log on to any routers, and I don't get any kind of warning message
either to change my password or that it's expired and I can't log in.
I'm running with telnet password changes (chpass) disabled, but I've tried
switching it back on, and it doesn't seem to change anything. I've got on
the router:
aaa authentication login default group tacacs+ local
aaa authentication login test group tacacs+ local
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa authorization commands 15 test group tacacs+ local
aaa accounting update newinfo
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
(with appropriate TACACS servers / keys / source-interface defined)
Is there something else I'm missing to get these expiry messages back to
the router? I'm sure I've had the above config working in a previous life
- but that was with 2.x on Solaris, and I'm now 4.1 on appliances.
TIA,
Tim.
More information about the cisco-nsp
mailing list