how to disable ISE CLI password expiration

david.tran · ‎12-14-2012

ISE version 1.1.1 patch5 running on VMware.

I got locked out yesterday due to password expiration and had to recover the CLI "admin" password using the recovery DVD.

How can I disable this "stupid" feature from ISE?

Tarik Admani · ‎12-14-2012

There is no password expiration on the CLI. There is a default password aging set to 45 days for the GUI, you can disable this by going to Administration > Admin Access > Authentication > Password Policy > Password Lifetime.

If you are experiencing issues with the cli account then you need to raise this issue with TAC.

Thanks,

Tarik Admani
*Please rate helpful posts*

DavidOnTheLeft · ‎01-17-2013

You can disable CLI Password expiration in ISE versions prior to 1.0 and 1.1 by using the following:

conf t

password-policy

no password-expiration-enable

Check the running config to make sure that under password-policy you don't see password-expiration-days or password-expiration-enable.

senaka_bs · ‎06-10-2015

In version 1.2.1, you cannot change the CLI password expiry from the CLI. It has to be done from the Admin GUI.

Administration -> System -> Admin Access -> Authentication -> Password Policy

Then disable /untick Suspend or Lock Account with Incorrect Login Attempts

After that you can confirm the settings via show run command in CLI.

If you have multiple ISE servers, this will apply to all of the at once.