Solved: Internal User Password Expiration Date

jerrymatson1 · ‎12-14-2020

Does anyone know of a way to expose the internal user database password expiration date? It seems it should be trivial but not easily found. One use case for this request has to do with a number of "service" accounts with the same email. The password expiration just indicates an account password will expire, but with no way to know which one. It seems it should be easy to find users who are locked out or print out a list of password expiration dates... ?

-- Jerry Matson

HDR Inc.

thomas · ‎12-15-2020

You are correct, Jerry, ISE does not expose that information, unfortunately.

I've sent it to one of our product managers as an enhancement.

View solution in original post

Mike.Cifelli · ‎12-14-2020

Have you considered relying on the ISE ERS APIs?

Here are two curl commands you could use (first one returns all internal users with unique ID; second one returns the expiryDate for specific user ID)

1: curl -k --include --header 'Content-Type:application/json' --header 'Accept: application/json' --user <user:pass> --request GET https://isepan:9060/ers/config/internaluser

2: curl -k --include --header 'Content-Type:application/json' --header 'Accept: application/json' --user <user:pass> --request GET https://isepan:9060/ers/config/internaluser/uniqueID

See more: ISE ERS API Examples - Cisco Community

https://isepan:9060/ers/sdk#

jerrymatson1 · ‎12-14-2020

I have used Postman to query that same location but it only shows if the user account is set to expire and that expiration date. Unfortunately, nothing about the password expiration date.

thomas · ‎12-15-2020

You are correct, Jerry, ISE does not expose that information, unfortunately.

I've sent it to one of our product managers as an enhancement.