01-31-2019 01:52 AM - edited 03-11-2019 01:54 AM
I am running Cisco ISE 2.4 and I have just finished the migration from ACS 4.1.
Now, when people (not even admin people, just regular users) use their tacacs account to telnet/ssh, they get the message :
Username: xxxxxx Password: Authentication succeeded. Your password will expire in 3 weeks + 2 days + 6 hours + 6 Minutes Router#
1) I don't want people to have to change their password
2) I don't want to see this message.
I went through a lot of options ( administration, admin access, settings, password policy) , no way to get rid of that.
Any tip?
Thanks
Regards,
Gilles
Solved! Go to Solution.
01-31-2019 05:39 AM
02-16-2019 02:16 PM
Likely due to CSCvf30591
01-31-2019 02:54 AM - edited 01-31-2019 02:58 AM
This is a function of the TACACS (Device Admin) and not the ISE admin (which your screen captures are showing).
I tested this in my lab and I was able to reproduce your issue. There is a checkbox to enable the password expiration reminder - and I think there is a bug because if you uncheck that box, then the reminder is still displayed. No way around it it.
of course, this only happens if there is an actual password expiration set on those local users. I have not tested this with AD (not sure if this also works if the accounts live in AD - I only tested with ISE internal user accounts)
Oh and, if you want to stop this password expiration stuff, then just untick the box "Disable user account after"
TACACS Username:bob TACACS Password: Authentication succeeded. Your password will expire in 1 weeks + 2 days + 23 hours + 49 Minutes router01#
01-31-2019 03:08 AM
Hi Arne,
Thanks for your answer . We use a local authentication (no AD).
If I understand, there is no way to suppress the message along with the "expiration date".
I have attached 2 new pix.
It is really annoying for people working in a NOC. And on top of this, most of them don't know how to change a tacacs password.
Any tip is welcomed :)
Thanks
Regards,
Gilles
01-31-2019 04:42 AM
01-31-2019 04:52 AM - edited 01-31-2019 05:00 AM
I think you are the proud owner of a new ISE bug :-)
I am also on ISE 2.4 patch 5 and I can reproduce it. So the expiration time does play a role and there is a workaround to stop annoying your people. Just set the "Disable user account after" to 3650 days and tick the box. And then set the "Display reminder" to 1 and tick the box. That will buy you some sanity and some time to get the bug raised and hopefully resolved (in ten years time!)
I am pretty sure this is a bug because it makes no sense otherwise.
I even deleted the user bob and it still happens. It's not tied to the user - it's as if the password expiration just has a mind of its own. Once it has calculated a password expiration event, it will latch that event, even if the display reminder option is then subsequently turned off. But by toggling the value to 10 years seems to do the trick
I'd say raise a TAC case anyway.
01-31-2019 05:39 AM
02-16-2019 02:16 PM
Likely due to CSCvf30591
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide