Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1325
Views
5
Helpful
5
Replies

CISCO ISE Password expiry in distributed deployment

Go to solution
pcno
Level 1
Level 1

‎02-05-2020 06:15 AM

Please reply to my query it is very Urgent I have 6 ISE running as a distributed deployment like 2 PAN 2 PSN 2 MNT.
When I go to GUI Administrator>admin access> password policy I am not seeing the 45 days expiry. But when I type show run in ISE CLI it says password expiry is 45 days ... I tried initiating command # No password-expiry enabled, but it gave me an error saying please change password policy in GUI.

Please advise me what to do in GUI password lifetime is missing and in CLI it keep telling me to do it in GUI.
ISE Version 2.6 with patch 3.
Does ISE password expire in Distributed deployment? 

Thanks
Priyesh

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to pcno

‎02-06-2020 12:32 PM

No, nothing from the CLI side. These settings will take care of the CLI admin expiry.

This policy is replicated for you across all nodes in the deployment, set it once and done.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎02-05-2020 07:28 AM - edited ‎02-05-2020 07:50 AM

You can take a look at this page, the default expiry is 45 days across the deployment, and as indicated it is configured from the GUI. 

https://<ise admin ip>/admin/#administration/administration_system/administration_system_rbac/adminAccess_authentication

Then click on the "password policy" tab and scroll down.  

expire.png

Go to solution
pcno
Level 1
Level 1
In response to Damien Miller

‎02-06-2020 11:59 AM

Thank you Damien, in my case chrome was not loading the full page of ISE because of that I was not seeing that 45 days option I tried in firefox and I was able to see the option.

I just unchecked 45 days in PAN primary None of the other nodes has any admin pannel since they are secondary so do I need to break deployment and repeat the process in each node Or will it Automatically synchronise with ISE primary PAN where I unchecked the option.

Also, Do I need to do anything in CLI regarding password expiry or GUI is inuff?

Please reply thank you.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to pcno

‎02-06-2020 12:32 PM

No, nothing from the CLI side. These settings will take care of the CLI admin expiry.

This policy is replicated for you across all nodes in the deployment, set it once and done.
0 Helpful

Go to solution
pcno
Level 1
Level 1
In response to Damien Miller

‎02-10-2020 09:39 AM

Thank you very much.

0 Helpful

Go to solution
acazarez
Level 1
Level 1

‎02-11-2024 09:12 PM

I have similar issue under the same deployment.
2 PAN 2 PSN 2 MNT

All health check is ok, ALL nodes working ok.

I have the 45-day expiration policy disabled in the PAN nodes.

Do you know if I have to do this in every node? I am asking because I cannot log into the PSNs only.

0 Helpful
Customers Also Viewed These Support Documents