Solved: Re: can not use previous password in ISE 1.1.2 patch-5

david.tran · ‎04-23-2013

this is my password-policy:

password-policy

lower-case-required

upper-case-required

digit-required

no-username

disable-cisco-passwords

min-password-length 6

password-lock-retry-count 5

I also entered the followings:

conf t

password-policy

no password-locked-enabled

no no-previous-password

my initial "admin" account has the password of "Checkpoint1234". It locked me out after 5 attempts from the webUI. Fine, I CLI into the box and reset

the password, when I tried to reset the password for "admin" to "Checkpoint1234", it tells me that I can NOT use a previous password.

How do I disable this option altogether? In other words, I want to use previous password.

By the way, in the webUI password-policy, you have to set the "Password History" between 1 and 10. WTF!!!

Thanks in advance.

Jatin Katyal · ‎04-27-2013

I see...I would appreciate if you can mark this thread resolved so that other's can benefit from it.

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

askhuran · ‎04-26-2013

Admin account for the web UI seems to be locked out. So it needs to be reset from CLI.

An incorrect password for your administrator user ID entered enough times to disable the administrator password. The minimum and default number is five. The Cisco ISE user interface “locks you out” of the system and suspends the credentials for that administrator ID until you have an opportunity to reset the password that is associated with that administrator ID. It does not affect the CLI password for the specified administrator ID

Step 1 Access the direct-console CLI and enter the following command:

admin# application reset-passwd ise

Step 2 Specify a new password that is different from the previous two passwords that were used for this administrator ID:

Enter new password:

Confirm new password:

Password reset successfully

If you only want to use the previous password, you should change the password policy first. After you have successfully reset the administrator password, the credentials become immediately active in the Cisco ISE and you can log in with the new password without having to reboot your system.

Review the section "Password Negated Due to Administrator Lockout" at the folowing location:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_postins.html

david.tran · ‎04-26-2013

Perhaps I did NOT make the question clear. Here we go again:

1- I know how to reset the password and I know how to do it,

2- the original question is: I want to disable the option on ISE so that I can re-use previous password for admin user when connecting via the webUI.

For example, let say I have an account called "admin" that I have during the original setup with a password of "Checkpoint1234"... Let say I type the wrong password 10 times and now the "admin" account is locked-out.

So, I have to CLI into the ISE and reset the password BUT I want to reset the password back to "Checkpoint1234" but the ISE will NOT let me. By the way, I did change the password policy first before intentionally typing the wrong password so that I can reset the password for the account "admin".

I want to disable this feature completely in ISE. The question is, how do I go about doing that?

The question is, how do I go about doing that?

Jatin Katyal · ‎04-27-2013

ISE 1.2 will have the option to disable password history.

There was a defect in earlier version of ISE.

ISE 1.0.x/1.1.x admin password policies for web UI and CLI are set separately. That is why the defect was declared Junked.

ISE 1.2.0 will sync the ones set in the web UI to the CLI.

CSCtt15284 password policy no-previous-password does not work

In GUI, if you try to set the value as 0

You will see a pop-up saying "Password history field value should be between 1 and 10.

In CLI even if you make changes under password-policy and remove "no-previous-password". After that when you try to reset password with the previous one. It throws an error message.

admin# application reset-passwd ise admin

Enter new password:

Confirm new password:

Password can't be set to one of the earlier 2 password(s)

Jatin Katyal

- Do rate helpful posts -

~Jatin

david.tran · ‎04-27-2013

I can NOT see this bug ID. I dont' think the bug ID is available to cisco customers unless you work for Cisco

Jatin Katyal · ‎04-27-2013

You might not be able to see as it's an internal defect.

This is what we have in the contents.

The password policy no-previous-password option is for CLI users (admin) and it is working properly as below

ISEVM-22/admin(config)# username admin password plain Lab123 role ?

admin Specifies user with administrative role privileges

user Specifies user with read-only role privileges

For application reset-passwd ise is for ISE application and password policy configured in ISE admin settings will enforce the password policy as configured, by default it is last three passwords

To set this option from ISE UI, see below navigation Administration--> System-> Admin Access -> Authentication --> Password Policy --> Password History

Hope this helps.

Jatin Katyal

- Do rate helpful posts -

~Jatin

david.tran · ‎04-27-2013

Thank you for confirming this. I opened a TAC case with Cisco last week and they also told me the same thing.

Jatin Katyal · ‎04-27-2013

I see...I would appreciate if you can mark this thread resolved so that other's can benefit from it.

Jatin Katyal
- Do rate helpful posts -

~Jatin