Hi jonathan

Mohamed Abd Elnaser Mohamed Mohamed Ali · ‎05-02-2017

Hi Everyone

Is it possible to disable password expiry for a specific user in the Cisco ISE Local User Database.

The Situation is that VPN users have been migrated from Cisco ACS to ISE and now all Authc/AuthZ is happening through Cisco ISE Local User Database, That is working fine with integrating with Cisco ASA.

The Security Policy requirement dictates the VPN users have to change their password every 45 days otherwise their account would be disabled.

Now the problem is I was using the same Cisco ISE Local User Database for Authenticating Cisco Wireless AP (EAP-FAST) and All Printers that support 802.1X (PEAP) and after enable that option for 45 days for password. all users in the local database would actually expire after 45 days (if passwords were not changed) including the usernames/Password used for these 802.1X (APs and Printers) which actually should remain fixed with no change.

As it is a administrative nightmare to go to each printer to update the 802.1X password along with the failure hat would happen at first place once they fail 802.1x because the account is now disabled --> I have configured a MAB policy incase of that situation so they would continue to work without business impact.

For Wireless APs it is a lot easier as changing the 802.1X credentials are centralized from WLC.

I have searched the entire Cisco ISE 1.4 Patch 10 and it seems like there is no option for disable password expiry for a specific user in the Cisco ISE Local User Database.

I found an option of password never expire for Guest users but the problem is ISE won't allow me to create a Guest user manually (Here I mean specifying the username and password myself instead of automatically generating them for me)

Even I tried and moved one Local user under a specific Guest Group but that won't work against authentication to Guest user database and still that user inherit the Password policy for Local User Database.

The sad thing is Cisco ACS has this option natively for its Users and Cisco ISE doesn't :(

Any Help would be apprciated

jonathan.cuthbert · ‎05-15-2017

As it is a administrative nightmare to go to each printer to update the 802.1X password along with the failure hat would happen at first place once they fail 802.1x because the account is now disabled......business impact

The business impact of a breach is substantially more. It is really not a best practice to have an unchanging password, particularly from something like a printer which is honestly one of the easiest devices to spoof.

The sad thing is Cisco ACS has this option natively for its Users and Cisco ISE doesn't :(

This suggests that ISE takes a more secure approach. ACS and ISE are not two things one can easily compare. They are only similar in the sense that they are AAA servers.

Here are the options for ISE 2.2:

Password Lifetime
	Users can be required to periodically change password

Disable user account after days if password was not changed (valid range 1 to 3650)

Display reminder days prior to password expiration (valid range 1 to 3650)

Mohamed Abd Elnaser Mohamed Mohamed Ali · ‎05-15-2017

Hi jonathan

Thanks for your replay.

The business impact of a breach is substantially more. It is really not a best practice to have an unchanging password, particularly from something like a printer which is honestly one of the easiest devices to spoof.

I do know indeed that having an account with unchanging password is something insecure, However if this is the only option given the fact that most of these printers are only supporting PEAP and not EAP-TLS so possible identity stores are (Local vs AD) and they rejected creating accounts for them in AD ( make sense for security reasons). So leavening only option with internal ISE Users.
I have verified myself through Printers administrative GUI there is no way to reveal the Dot1X password (on assumption that you have the Admin credentials to login to the printers) and I do know that there are no guarantee that there are maybe some exploits and vulnerabilities out there that could somehow extracts these Passwords in clear text but it is better to stick with dot1x than to use a weaker method to authenticate the printer like (MAB with SNMP profiling).

The Point here is that it is Helpdesk would refuse to do such administrative job as they don't understand that "Security comes with a cost."

This suggests that ISE takes a more secure approach. ACS and ISE are not two things one can easily compare. They are only similar in the sense that they are AAA servers.

I wouldn't look into it in this way "This suggests that ISE takes a more secure approach." as ISE in many aspects are not enforcing some security for example ISE doesn't give me the flexibility to enforce certain TLS versions (1.0 vs 1.1 vs 1.2) and harden the TLS Cipher suites (I know you can enable FIPS mode ) but the options should be there for you if you want to tailor you protocols outside FIPS settings

Plus ISE by default doesn't enforce this password expiry by default, which is a global settings (either on or off) which if the customer is forced to disable password expiry it would be global for all ISE local users and doesn't give you the option to tailor the solution to your specific needs.

Lets say this option is there and password expiry is disabled for a particular user (X-Admin) and that user would only be used in a policy set for printers with a specific allowed list (PEAP) and authorization to check PEAP, AuthC passed and Printer being profiled by SNMP and then give these Printer Restricted dACLs. --> So you have minimized the risk exposure and leaving other users in ISE with password expiry enabled.

The Point here not all customer have this concept " Security comes first" Some may sacrifice some security for more flexibility

Cisco ISE Local User Database - Password never expire for specific user