Re: ISE Internal user disabled

manvik · ‎08-23-2021

I am running around a strange issue. My ISE internal users gets disabled automatically in 24 hours.

All the users are TACACS users. They change the password from a network device and it works, but after 24 hours the same user gets disabled.

This user does not get disabled if I change the password directly from ISE admin GUI.

Amine ZAKARIA · ‎08-23-2021

Hello @manvik,

Go to Administration -> Identity Management -> Settings -> User Authentication Settings

in the password policy tab uncheck "Disable user account after":

And verify Account disable policy tab :

manvik · ‎08-23-2021

"Disable User account after" is set to 30 days to meet compliance and audit purpose.

my doubt is why does account gets auto disabled after 24 hours of self password change.

Amine ZAKARIA · ‎08-23-2021

As far as i know because the password did not get changed in that specific delay from 1 to 30.

Uncheck the box, save and check the box again of "Disable User account after" and wait for the 24h.

Or you can check BugSearch

If the same behavior occurs, you can open a TAC case.

Hope that helps.

hslai · ‎08-24-2021

Copying from the on-box page-level help,

Check the Disable account after n days of account creation or last enable check box and enter the number of days. This option disables the user account when the account creation date or last access date exceeds the specified number of days. Administrators can manually enable the disabled user accounts, which reset the number of days count.

That means, it's expected to disable the user account after n days.

Please use the options in the Password Lifetime section, instead.

Note that, if the enable password configured for an internal user, then that also needs updated within the configured password lifetime.