The reason I asked my questions is because on my dashboard I see the message:

"Administrator Account Locked/Disabled"

If I click on this message, it takes me to a pullout landing page that shows timestamps of the error message with a description of:

"Account is suspended temporarily due to excessive failed authentication attempts : AdminName=admin"

However, if you click on the 'details' button for that message, you'll see events that match up to the timestamps of the previous page with a completely different event which reads:

"Administrator authentication failed. Account is disabled due to inactivity"

I've had a tac case open for quite some time. They have not been able to determine which error is actually valid (failed login attempts vs account inactivity)

The account disable policy is disabled. The Lock/Suspend settings are enabled.

Have you confirmed the none of the admin users in Administration > System > Admin Access > Administrators are disabled? Again, the screenshot that you have in the original posting is for the network users, which is different from admin users.

Hello Anthony,

Not sure if i have your kind attention here, but i am facing the same issue on a ISE 2.3 version with similar configuration as Mr. howon has shared.

I am not able to figure out the reason why the admin account is getting disabled.

Further, in the logs, i am seeing the IP address of the ISE as the source of the alerts and NOT a user who might be trying to enter wrong credentials which might be causing the lockout.

Appreciate if you could share any feedback from TAC regarding this issue?

Thanks!

Regards

Aamir Aleem

For the record, TAC's fix for this was a workaround at best. we ended up disabling the admin account that was repetitively suspending and creating a new admin account (different username).

To this day, if I re-enable the old account, it will get suspended after some time. And then re-enable, and then suspend again.

TAC said this was caused by an internal API call which used the same local admin account. They were able to determine this because of the time elapsed between suspensions.

Case was open from: May 29th to: December 16th

CSCvn25548 was also opened as a result of this case (not for my specific issue, but an additional issue we found while troubleshooting)

I am runninng ISE 2.4 ( pathes 1 to 5) and ALL the admin accounts get disabled every morning, There was a warning before that saying that "your account will expire in xxx" but Cisco says that it is a cosmetic message and that it will not happen (ISE 2.2 patch 1: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf30591/?rfs=qvred )

Hopefully, 2 weeks ago, I had created a new admin account, so I can re enable the disbaled admin accounts.

I thought I had the right settings.

I have attached some snapshots.

Can you help with the settings? 

I'm using ISE 2.4 patch 6 and i'm also impacted since May 2019 and the workaround is to reset the password via cli. 

TAC was unable to resolve the case that's been open for months and i finally gave up.