topic Re: Admin accounts mysteriously getting disabled in ISE 2.4 in Network Access Control

Admin accounts mysteriously getting disabled in ISE 2.4

abhijith891 — Sun, 19 Aug 2018 14:31:38 GMT

Hi all,

I am facing a unique situation where some of the admin accounts I had created for my team have got disabled. Not just that, I am also unable to find an option to re-enable them. None of the boxes in the account disable policy have been ticked. Screenshots have been attached for reference. So can someone please help me out on this?

Regards,

Abhijit

Re: Admin accounts mysteriously getting disabled in ISE 2.4

anthonylofreso — Mon, 20 Aug 2018 11:15:01 GMT

Just curious, if you go to: "Operations > Reports > Audit > Administrator Logins" do you see messages similar to the following?

"Administrator authentication failed. Account is disabled due to inactivity"

"Account is suspended temporarily."

Also, on the dashboard do you see:

"Account is suspended temporarily due to excessive failed authentication attempts..."

We're running ISE 2.2, and our admin account also gets disabled.

Re: Admin accounts mysteriously getting disabled in ISE 2.4

howon — Mon, 20 Aug 2018 16:56:35 GMT

The alarms on the main dashboard should show why/when the accounts were locked/disabled.

The screenshot you reference is applicable to network access users. For admin account settings go to Administration > System > Admin Access, then click on either Account Disable Policy or Lock/Suspend Settings.

Re: Admin accounts mysteriously getting disabled in ISE 2.4

anthonylofreso — Mon, 20 Aug 2018 17:05:23 GMT

The reason I asked my questions is because on my dashboard I see the message:

"Administrator Account Locked/Disabled"

If I click on this message, it takes me to a pullout landing page that shows timestamps of the error message with a description of:

"Account is suspended temporarily due to excessive failed authentication attempts : AdminName=admin"

However, if you click on the 'details' button for that message, you'll see events that match up to the timestamps of the previous page with a completely different event which reads:

"Administrator authentication failed. Account is disabled due to inactivity"

I've had a tac case open for quite some time. They have not been able to determine which error is actually valid (failed login attempts vs account inactivity)

The account disable policy is disabled. The Lock/Suspend settings are enabled.

Re: Admin accounts mysteriously getting disabled in ISE 2.4

howon — Mon, 20 Aug 2018 17:14:11 GMT

Have you confirmed the none of the admin users in Administration > System > Admin Access > Administrators are disabled? Again, the screenshot that you have in the original posting is for the network users, which is different from admin users.

Re: Admin accounts mysteriously getting disabled in ISE 2.4

aamir.aleem — Mon, 07 Jan 2019 10:32:30 GMT

Hello Anthony,

Not sure if i have your kind attention here, but i am facing the same issue on a ISE 2.3 version with similar configuration as Mr. howon has shared.

I am not able to figure out the reason why the admin account is getting disabled.

Further, in the logs, i am seeing the IP address of the ISE as the source of the alerts and NOT a user who might be trying to enter wrong credentials which might be causing the lockout.

Appreciate if you could share any feedback from TAC regarding this issue?

Thanks!

Regards

Aamir Aleem

Re: Admin accounts mysteriously getting disabled in ISE 2.4

Jason Kunst — Mon, 07 Jan 2019 15:33:13 GMT

Suggest you work through TAC as well

Re: Admin accounts mysteriously getting disabled in ISE 2.4

mnagired — Mon, 07 Jan 2019 17:31:56 GMT

Hi,

Can you also verify below

Administration->System ->Admin Access ->Password Policy ->Password Lifetime

Re: Admin accounts mysteriously getting disabled in ISE 2.4

anthonylofreso — Mon, 07 Jan 2019 18:03:40 GMT

For the record, TAC's fix for this was a workaround at best. we ended up disabling the admin account that was repetitively suspending and creating a new admin account (different username).

To this day, if I re-enable the old account, it will get suspended after some time. And then re-enable, and then suspend again.

TAC said this was caused by an internal API call which used the same local admin account. They were able to determine this because of the time elapsed between suspensions.

Case was open from: May 29th to: December 16th

CSCvn25548 was also opened as a result of this case (not for my specific issue, but an additional issue we found while troubleshooting)

Re: Admin accounts mysteriously getting disabled in ISE 2.4

ASD SOC Tata Communications — Wed, 27 Feb 2019 07:52:59 GMT

I am runninng ISE 2.4 ( pathes 1 to 5) and ALL the admin accounts get disabled every morning, There was a warning before that saying that "your account will expire in xxx" but Cisco says that it is a cosmetic message and that it will not happen (ISE 2.2 patch 1: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf30591/?rfs=qvred )

Hopefully, 2 weeks ago, I had created a new admin account, so I can re enable the disbaled admin accounts.

I thought I had the right settings.

I have attached some snapshots.

Can you help with the settings?

Re: Admin accounts mysteriously getting disabled in ISE 2.4

Rao29 — Fri, 04 Oct 2019 17:43:40 GMT

I'm using ISE 2.4 patch 6 and i'm also impacted since May 2019 and the workaround is to reset the password via cli.

TAC was unable to resolve the case that's been open for months and i finally gave up.

Re: Admin accounts mysteriously getting disabled in ISE 2.4

Jason Kunst — Fri, 04 Oct 2019 18:18:36 GMT

Please escalate to duty manager

Re: Admin accounts mysteriously getting disabled in ISE 2.4

Rao29 — Fri, 04 Oct 2019 19:04:06 GMT

Thanks.I open a new TAC case.