[c-nsp] ACS 5.1 - Password expiring mechanism problem

[John C]

Hi,

To be precise I am using the version 5.1.0.44.4.

The main issue is to
- Send a message to the end-user that his password is about to expire
- Give the tool to the user to actually change his password.

I have configured the AAA server using TACACS+ to warn the user when their
password will time-out.

I have observed the following:

- If the user SSH to the AAA client directly as enable (priv-level = 15) -
No warning are shown about the password expiring date.

- If the user SSH to the AAA client directly with priv-level = 1, and then
re-authenticate to become enable, only then a warning message is displayed.

- If we say that P1 is the password to authenticate and get the privilege
level 1 and P2 the password to, then, become enable, I have seen that:
The warning message concerns only P1 - meaning that there is no way to know
how old the P2 password is, but also to enforce this password to actually be
changed.

- Ticking or not the "TACACS Enable Password" does help in anyway since
there is no expiring-date field added to it.

- Finally, I do not tick the "TACACS Enable Password" meaning that the user
has only one password P1 stored in the ACS, I then did the following test:
* connection via ssh
* I authenticate using P1
* I am granted priv-15, as per my ACS rules in place
* Then, type "disable" and "enable"
* At the prompt asking for password, I write nothing and press enter, the
AAA client asks then for the old and new password
* The last action just created an additional password P2, which is not
identical to P1
So, we just loose synchronization.

The only work around so far is to:
- Log in with privilege level 15,
- Not ticking "TACACS Enable Password"
- Use P1 to become Level15 directly, since only P1 can have a timestamp
- Send a password warning by e-mail to an admin, when an account is about to
expire. (that last part is not clear yet)

Any suggestion would be welcome.

Thank you,
Christophe