Re: ISE internal users password expiring with password lifetime disabled

ULG · ‎02-20-2018

I've disabled all options under Administration > Identity Management > Settings > User Authentication Settings > Password Lifetime, but I'm still receiving a message saying my password will expire.

Can't see anywhere else this could be coming from, so am I missing something? It's important that passwords don't expire since we use this for device config backup and monitoring.

jai_chandra2001 · ‎04-18-2018

We had the same issue on ISE 2.2 P4, the user account did not have the option checked. But after a lot of hit and trial I found out that once the option is checked (which is by default), even though its unchecked the value stays in the database. By default the value is "Disable user account after 60 days...". So even if you uncheck the value stays in the database, i set the value to 365 days and was able to fix the issue. Once i unchecked the option after changing it to 365 it never threw the warning that my password was expiring. It may show the warning once the 365 day timer lapses.

Is it an expected behavior : No

Did it fix my issue: Yes

I didn't bother opening a TAC case, but it does look like a bug to me. Especially after seeing something relevant https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvh74550/?rfs=iqvred

ULG · ‎04-18-2018

Then you'll be pleased to hear they haven't fixed it in 2.3, so there's clearly no reason to upgrade.

But I also figured out the work-around of changing the number of days and enabling then disabling the option. I set mine to 3650 days, so we'll have to change the password on our monitoring user in 10 years. Hopefully our external monitoring provider will have figured out an easier way to update their passwords by then.

It's really confidence instilling when your security software has bugs in it.