Guest

Preview Tool

Cisco Bug: CSCul73734 - WAAS CM login will fail for users when TACACS send a message

Last Modified

Jul 07, 2015

Products (1)

  • Cisco Wide Area Application Services (WAAS) Appliances

Known Affected Releases

5.3(3)

Description (partial)

Symptom:
Clients who get authenticated by TACACS+ servers can get denied access to the CM if the TACACS+ server sends a message on login.

An example of this is when the TACACS+ server sends a password expiration warning.

Conditions:
You can see the message when logging in to the device:

$ telnet  cdn-vcm-1.cisco.com
...

User: tacacs-user
Password:
Authentication succeeded. Your password will expire in 51 weeks + 6 days  + 23 hours  + 41 Minutes
System Initialization Finished.
cdn-vCM-1>

When you enable the 'debug cms' command you will find the in the syslog a reference to this message:

dn-vCM-1#find match "Non-empty response from PAM layer" syslog.txt
2013 Nov 29 09:56:29 cdn-vCM-1 java: %WAAS-CMS-7-1400000: cdm(TP-Processor12) Non-empty response from PAM layer(Authentication succeeded. Your password will expire in 51 weeks + 6 days  + 23 hours  + 41 Minutes  Authentication succeeded. Your password will expire in 51 weeks + 6 days  + 23 hours  + 41 Minutes  0;1)
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.