cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15861
Views
16
Helpful
12
Replies

ISE Local Accounts Password Change Method

paul
Level 10
Level 10

I am working at a customer that is using ISE local accounts as the identity source for device admin credentials (i.e. TACACS for switches, routers, FWs, etc.).  I have all the policies configured without an issue.  Now I am trying to develop a method that will allow the end user to change their password after the ISE admin creates their account. 

I thought of trying to use the guest portal structure for this, but can't get it to work.  I setup a guest portal that uses the local identity store as the source sequence.  I have tried:

  1. Creating the ID and setting the ID to require password change next login
  2. Set the portal to allow the guest user to change the password after login
  3. Set the portal to require the guest user to change the password after first login

None of these seem to work.  When I set do #1 I get an internal error trying to sign into the portal.  If I remove the require password change checkbox on user ID I can get right in.  For #2 and #3 I go right to the success message without being prompted to change the password.

I am running ISE 2.1.  Any ideas on how best to allow the users to change their passwords after the ISE admin creates the account?

Thanks.

2 Accepted Solutions

Accepted Solutions

From what I understand the Guest Portal flow does not change internal user passwords. So you will need to use my devices or sponsor portal for example. You could do some customization to hide everything and make it into a password change portal.  If you're looking for a dedicated password change flow then please reach out to the ISE Product Marketing Team through your local account team to ask for a feature

View solution in original post

Please ask through sales channel to the ISE product marketing team for feature request

View solution in original post

12 Replies 12

Timothy Abbott
Cisco Employee
Cisco Employee

Hi Paul,

Have you tried the My Devices portal?  Just be sure that the portal is configured so that internal users are allowed to change their own passwords.  Just be sure to uncheck 'require user to change password at next login' when the account is created.

Regards,

-Tim

Tim,

The MyDevices works when I “Allow internal users to change their own passwords” but doesn’t work when I check “Change password on next login” under the User ID itself. How is the “Change password on next login” option under the User ID ever supposed to be used?

I really didn’t want to use the MyDevices because you could add or change MAC addresses in the system by mistake. The guest portal seemed like a harmless portal to allow the users to change their password.

Thanks for your feedback.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

From what I understand the Guest Portal flow does not change internal user passwords. So you will need to use my devices or sponsor portal for example. You could do some customization to hide everything and make it into a password change portal.  If you're looking for a dedicated password change flow then please reach out to the ISE Product Marketing Team through your local account team to ask for a feature

Thanks Jason. I ended up using the MyDevices Portal and customized it and put “Do Not Use” on the various fields and buttons. Close enough.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

you can also remove items, here is a sample on how we removed tabs. play around more you can repurpose more if you like

ISE MyDevices Portal customization (remove the column for pending/register state)

How to hide buttons on the sponsor portal

How do the users get routed to the Portal to change their expired TACACS passwords?

TACACs has no mechanism to redirect to a portal. You would need to automate something to email them if possible using APIs. Sounds like you're looking for something more enterprise related. For example an AD account management platform.

Definitely looking for an Enterprise solution. We are migrating from Cisco ACS where we currently have a Portal (locally created) for users to reset passwords. We were looking for something similar with ISE.

Did you see this?
https://community.cisco.com/t5/identity-services-engine-ise/ise-password-change-portal-ucp-with-my-devices-portal/td-p/3475680

If you need better support reach out to the account team and our product marketing for feature enhancement

Are there plans to support something like the UCP service on the ACS? Because misusing the MyDevices portal is an interessting idea. But that does not support to change the enable password.

Please ask through sales channel to the ISE product marketing team for feature request

Akin Utku
Level 1
Level 1

Hi guys, this seems an old thread but still is a requirement.  Has this been addressed in any way that you are aware?  

Needed requirements are:

1) Expiring passwords need to be notified and a URL provided for change password (Could be the "My Devices" portal)

2) Portal needs to support "user must change password at next login" 

3) Portal needs to support changing of password and enable password. 

 

Any ideas?  Thank you so much!