Solved: CISCO ISE password policy

Groto · ‎03-18-2024

Hi,

I'd like to know about the password policy for ISE 3.0.

1. how will changing user and admin policies to more strict ones (for example, changing from 8 to 12 min. password characters) impact current them- will current password become invalid?

2. if the user is both a network user and admin, which policy will be applied- depending on resource user is trying to access (admin policy for accessing ISE and user policy for everything else) or will they overlap and more strict setting will be applied?

Groto · ‎03-25-2024

My conclusions :

1. you can't create a network access user with the same username as the existing admin user
2. you can promote the network access user to admin without changing the password (to match a more strict admin password policy), however, when you try to log into the ISE GUI you will receive: "Password is expired" error message.
3. if you delete the admin user (different from remove from administrator list), you will delete the network access user also
4. when you change the admin password policy (to a more strict one), the current admin sessions will not be impacted, however, as soon as the admin logs out and tries to log back into ISE GUI, it will get "Password is expired" error message.
5. all admins who are not logged into ISE GUI when the admin password policy (to a more strict one) change happens, will also receive "Password is expired" when they try to log into ISE GUI.
6. despite receiving "Password is expired" error message, the password set under network access user will still work for accessing network devices.
7. enable password set under network access user is not changed when you change the admin password.
8. when you change the admin password you also change the network access user password
9. when you try to change the network access user password and the user is also admin, the admin password policy will be used

View solution in original post

Arne Bier · ‎03-24-2024

Hi @Groto

After changing the ISE Network Access User password policy requirements, the existing passwords will still work (even though they are technically non-compliant). The password policy only comes into effect when you create new accounts or change password of existing accounts.

If you take the same Network Access User as above, and add the user as an ISE Admin, then it simply associates the same name for both, but the password is handled independently. That means, the admin password is not the same as the Network Access User password. You can change them independently.

Have a play on a lab ISE node for 100% assurance.

Groto · ‎03-25-2024

My conclusions :

1. you can't create a network access user with the same username as the existing admin user
2. you can promote the network access user to admin without changing the password (to match a more strict admin password policy), however, when you try to log into the ISE GUI you will receive: "Password is expired" error message.
3. if you delete the admin user (different from remove from administrator list), you will delete the network access user also
4. when you change the admin password policy (to a more strict one), the current admin sessions will not be impacted, however, as soon as the admin logs out and tries to log back into ISE GUI, it will get "Password is expired" error message.
5. all admins who are not logged into ISE GUI when the admin password policy (to a more strict one) change happens, will also receive "Password is expired" when they try to log into ISE GUI.
6. despite receiving "Password is expired" error message, the password set under network access user will still work for accessing network devices.
7. enable password set under network access user is not changed when you change the admin password.
8. when you change the admin password you also change the network access user password
9. when you try to change the network access user password and the user is also admin, the admin password policy will be used