Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1278
Views
2
Helpful
5
Replies

Determine password age of an ISE 3.1 TACACS user (internal database)

Go to solution
wags
Level 1
Level 1

‎03-28-2023 03:23 AM

Is there a way in the ISE GUI or CLI to look at the internal database of TACACS users, to determine how soon the password needs to be changed on a specific account (or a counter showing the number of days since last changed, or the like).  

In our case we cannot use the obvious solution of the canned GUI report of the user changing password because the deployment is busy enough to have "aged out" the internal log entry.  

TIA

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to wags

‎03-30-2023 07:13 AM - edited ‎03-30-2023 07:16 AM

There is a way, but you can only check a single account at a time, and it was just added in 3.2.

Go to Administration > Identity Management > Identities > Users, select your user and look at the Password Lifetime.  Even if Never Expires is selected, change it to With Expiration to see the Lifetime left for that password if it were to expire.

CharlieMoreton_0-1680185518513.png

View solution in original post

0 Helpful
5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-28-2023 03:37 AM

You can look Global Settings about password change policy : ( not that i have observed closely for local accounts) - may be we can check audit report.

 

balajibandi_0-1679999682965.png

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
wags
Level 1
Level 1

‎03-30-2023 03:35 AM

Thanks for the responses, however unless I misunderstand they are not what we need.   We need to check specific internal/local accounts for upcoming password expiry in some way.   It would be a non-issue if Cisco would  provided the ability to assign different password policy for different accounts/groups CSCvu07107.   I can look through syslog (we log ISE there as well), but not everyone else has 30+ years with Cisco and Unix like myself.  Really need a "raw newbie" way to accomplish the task.

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to wags

‎03-30-2023 07:13 AM - edited ‎03-30-2023 07:16 AM

There is a way, but you can only check a single account at a time, and it was just added in 3.2.

Go to Administration > Identity Management > Identities > Users, select your user and look at the Password Lifetime.  Even if Never Expires is selected, change it to With Expiration to see the Lifetime left for that password if it were to expire.

CharlieMoreton_0-1680185518513.png

0 Helpful

Go to solution
wags
Level 1
Level 1
In response to Charlie Moreton

‎03-30-2023 07:27 AM

Charlie, that is so great to hear/see.  It will (in our near future) save me a good deal of headaches.  And any newbie can manage it without instruction!!  LOL.  Again thanks.

0 Helpful
Customers Also Viewed These Support Documents