Given that Microsoft Active Directory has two limitations as follows:
Cannot reject specific word to be used in Password Reset (e.g. company name)
Cannot enforce Special Characters as Mandatory Complexity requirements (i.e. AD can accept the password if user submit on the following complexity "Upper Case, Lower Case, Alphanumeric , Special Characters"
Accordingly i need your help if there is solution can modify password policy on the Active Directory
Ok, the password policy in ISE could match your needs, but it's always the policy of the authentication system that enforces the policy. If your users are in AD, then the AD-rules are in place. Only if your users are local to the ISE, these rules are enforced. That's probably not what you want to have.
Unfortunately Yes, Users should be kept on AD , i'm wondering if there is Solution can do these requirements while remaining Users Database on AD itself.
From the discussion, I understood that you want the users to be kept on the AD however the password policy defined on AD has few limitations and you want the authentication server to overwrite the password policy for the authentication query while communicating to the AD. Well that would not be possible. The password policy will be checked for the identity store you have selected on ACS/ISE/ 3rd party AAA server. That means if on ACS server you authentication settings have LOCAL database as an identity store then local database password policy will be applied and if you have AD configured then its own password policy. You need to find out if the above 2 password policy requirements can be modified on the AD itself.
Regards - Jatin
~Jatin
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
