Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2662
Views
0
Helpful
5
Replies

ISE internal user for TACACS+ status monitoring and Account Disable Policy

Go to solution
Ping Zhou
Level 8
Level 8

‎08-07-2017 09:07 AM

Hi Experts,

I have three questions regarding the internal user account on ISE. (We use this ISE internal user account for TACACS+ device admin.)

-  Is there a hidden default account disable policy for internal users, even with all the check boxes are unchecked?

    I set up this internal user on ISE on June 6, and made sure there were no check boxes checked, under this individual user account and Global settings for internal identity. It still got disabled on Aug 6th. as attached.internal user acct disabled by system.jpg

- Is it possible to set this specific internal ISE user Account Disable Policy disable policy to infinite, so it never gets expired.I don't see option for such setting except the one under individual user policy and that 3 options for the Global account policy tab.

-  finally, is there a way to set up email notification just for this specific individual user account when its status change from enable to disable.

Thanks,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Ping Zhou

‎08-07-2017 03:21 PM

If all the relevant options in both the password policy and the account disable policy for internal users are not selected, then all internal users will not expire, unless per-user disabling date specified.

I see the password reminder option for internal admin users but not for internal users. For internal users, the remediation is the only email option shown for internal users.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
hslai
Cisco Employee
Cisco Employee

‎08-07-2017 12:08 PM

Please check also the password policy as there are options for Password Lifetime and Lock/Suspect Account with Incorrect Login Attempts.

If the internal user accounts have valid email addresses and a SMTP configured, then ISE will send remediation email when the account is locked.

0 Helpful

Go to solution
Ping Zhou
Level 8
Level 8
In response to hslai

‎08-07-2017 12:45 PM

Thanks for replying. I apologized I didn't make it clear. The internal user account in question is NOT for logging into the ISE itself, it's for ISE to check the user login when this user is doing TACACS+ to log into network devices (simply put, a machine is using this internal account to login into our network devices, authenticated by ISE via TACACS+.). Once it's configured and tested, the machine uses the same username and password to login to our network devices, via ISE TACACS+ using this ISE internal user. With this, I can see there is a setting (Administration > Identity Management > Settings > User Authentication Settings, password policy tab )  under "password lifetime", says "Disable user account after (60) days if password was not changed (valid range 1 to 3650)". Is it ON by default? If yes, it answers my first question...that's is I configured up on June 6th, the account got disabled on August 6th... and it also kind of removed my second and third questions from my list above (I'm assuming if I uncheck this box, and nothing checked on "Account Disable Policy" tab,  as well as nothing checked under this individual internal users for account disable policy, this internal user won't never expire. therefore, I don't have to monitor its status via email notification. Am I correct?. if I'm correct, just for curiosity, is there email notification can be set up for this specific account to check it's status? beside the way you mentioned as above. this is a machine doing login, once its configured properly, the machine doesn't do incorrect login attempt to trigger email remediation message.)

Thanks!

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Ping Zhou

‎08-07-2017 12:59 PM

Yes, the password policy has this ON by default to disable user account after 60 days since ISE 1.0 MR.

For your question #2, we would need to un-select all the relevant options in both Password Policy and Account Disable Policy. Then, we may set a policy disabling date per user.

0 Helpful

Go to solution
Ping Zhou
Level 8
Level 8
In response to hslai

‎08-07-2017 01:08 PM

Thank you for prompt reply. I plan to have this internal account enabled indefinitely, so if I un-select all these relevant options as we discussed above, this internal account will never expire?

What about the email notification as I asked above?

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Ping Zhou

‎08-07-2017 03:21 PM

If all the relevant options in both the password policy and the account disable policy for internal users are not selected, then all internal users will not expire, unless per-user disabling date specified.

I see the password reminder option for internal admin users but not for internal users. For internal users, the remediation is the only email option shown for internal users.

0 Helpful
Customers Also Viewed These Support Documents