After upgrade to 3.4.6 TACACS\CISCO accounts no longer rotate. When we try to set a new password manually, the update fails with a communication error and PAM retains the old password. However, if we edit the account again and set the same new password, the account goes back in sync. PAM in fact sets the new password on the target device, but runs into an error at the end of the process and discards the new password. This is a very bad problem, because there is no way to know the new password, if it was auto-generated by PAM rather than typed in manually.

Release : 3.4.6

Component : PRIVILEGED ACCESS MANAGEMENT

A code change to fix a problem observed by PAM Engineering during internal stress testing of the UNIX target connector for 3.4.6 inadvertently affected the Cisco target connector.

As of January 2022 a test fix is available and can be requested from PAM Support