[c-nsp] ACS 5.1 - Password expiring mechanism problem

John C jchvnet at googlemail.com
Tue Nov 9 06:24:19 EST 2010


Hi,

To be precise I am using the version 5.1.0.44.4.

The main issue is to
- Send a message to the end-user that his password is about to expire
- Give the tool to the user to actually change his password.

I have configured the AAA server using TACACS+ to warn the user when their
password will time-out.

I have observed the following:

- If the user SSH to the AAA client directly as enable (priv-level = 15) -
No warning are shown about the password expiring date.

- If the user SSH to the AAA client directly with priv-level = 1, and then
re-authenticate to become enable, only then a warning message is displayed.

- If we say that P1 is the password to authenticate and get the privilege
level 1 and P2 the password to, then, become enable, I have seen that:
The warning message concerns only P1 - meaning that there is no way to know
how old the P2 password is, but also to enforce this password to actually be
changed.

- Ticking or not the "TACACS Enable Password" does help in anyway since
there is no expiring-date field added to it.

- Finally, I do not tick the "TACACS Enable Password" meaning that the user
has only one password P1 stored in the ACS, I then did the following test:
* connection via ssh
* I authenticate using P1
* I am granted priv-15, as per my ACS rules in place
* Then, type "disable" and "enable"
* At the prompt asking for password, I write nothing and press enter, the
AAA client asks then for the old and new password
* The last action just created an additional password P2, which is not
identical to P1
So, we just loose synchronization.

The only work around so far is to:
- Log in with privilege level 15,
- Not ticking "TACACS Enable Password"
- Use P1 to become Level15 directly, since only P1 can have a timestamp
- Send a password warning by e-mail to an admin, when an account is about to
expire. (that last part is not clear yet)

Any suggestion would be welcome.

Thank you,
Christophe


More information about the cisco-nsp mailing list