Cisco ISE Dot1x Authentication & AD expired password change

Mohamed BH · ‎01-23-2023

Hi Community,

We have Cisco ISE Dot1x authentication with Active Directory in a full windows users using their native supplicant, my question here is there a solution to make users able to change their password after it expires, i know that we can use a guest vlan for failed authentications but it is not secure to expose the AD to Un-authenticated users.

I'm thinking of making machine authentication happen before user authentication, at least if the user password expire we can reach the Active Directory with an authenticated machine.

PS: I'm not talking here of the Password Change option on the ISE we can do that here We are taking about expired passwords.

ahollifield · ‎01-23-2023

Machine authentication will solve this since you are not relying on the user's password for 802.1X but the machine account itself (which automatically renews itself with AD). However, your best path forward is to deploy a PKI and use EAP-TLS instead.

Mohamed BH · ‎01-23-2023

Thanks for your reply,

I'm trying to use both : let the machine authentication happen by default before user authentication (with limited access just to verify machine credenticals with the AD using ACL), then authenticate the user as usal and grant access.

Rodrigo Diaz · ‎01-23-2023

hello @Mohamed BH , as mentioned over here about the machine authentication within the native supplicant , in ISE you will have to create a rule of less precedence of the one that you have for authentication based user, that will allow the access to the machines with the needed internal resources to change the password ( if machine authenticated then.. access to AD) , however you need to be specific about these conditions to make your environment sure .

Let me know if that helped you.