TACACS+ Password Aging Rule does not work with SSH when Apply password change rule is set. How do I deal with this?
A. Use telnet for authentication. TACACS+ user password changes, for example before expiry, during login do not work with SSH. Problem pertains to TACACS+ AAA server and SSH in order to establish session. This does not hold for RADIUS or telnet sessions. TACACS+ provides a feature where if a blank password is supplied to the AAA server it triggers a password change sequence. For example, requests for old password are followed by new password. This depends upon success or failure and whether the new password is accepted or rejected. Use telnet if password needs to be changed before expiry. For expired passwords SSH behavior is fine as it triggers a password change sequence then. When telnetting to a router a user can just hit enter at the Password: prompt in order to initiate the change password sequence. The user can also be notified if their password is expiring or has expired. This feature does not work when you connect to the router through SSH.
