Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14575
Views
16
Helpful
12
Replies

ISE Local Accounts Password Change Method

Go to solution
paul
Level 10
Level 10

‎08-17-2016 09:34 AM

I am working at a customer that is using ISE local accounts as the identity source for device admin credentials (i.e. TACACS for switches, routers, FWs, etc.).  I have all the policies configured without an issue.  Now I am trying to develop a method that will allow the end user to change their password after the ISE admin creates their account. 

I thought of trying to use the guest portal structure for this, but can't get it to work.  I setup a guest portal that uses the local identity store as the source sequence.  I have tried:

  1. Creating the ID and setting the ID to require password change next login
  2. Set the portal to allow the guest user to change the password after login
  3. Set the portal to require the guest user to change the password after first login

None of these seem to work.  When I set do #1 I get an internal error trying to sign into the portal.  If I remove the require password change checkbox on user ID I can get right in.  For #2 and #3 I go right to the success message without being prompted to change the password.

I am running ISE 2.1.  Any ideas on how best to allow the users to change their passwords after the ISE admin creates the account?

Thanks.

1 person had this problem
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎08-23-2016 01:10 PM

From what I understand the Guest Portal flow does not change internal user passwords. So you will need to use my devices or sponsor portal for example. You could do some customization to hide everything and make it into a password change portal.  If you're looking for a dedicated password change flow then please reach out to the ISE Product Marketing Team through your local account team to ask for a feature

View solution in original post

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ROBERTO GIANA

‎11-10-2017 04:17 AM

Please ask through sales channel to the ISE product marketing team for feature request

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎08-17-2016 11:25 AM

Hi Paul,

Have you tried the My Devices portal?  Just be sure that the portal is configured so that internal users are allowed to change their own passwords.  Just be sure to uncheck 'require user to change password at next login' when the account is created.

Regards,

-Tim

Go to solution
paul
Level 10
Level 10
In response to Timothy Abbott

‎08-17-2016 12:50 PM

Tim,

The MyDevices works when I “Allow internal users to change their own passwords” but doesn’t work when I check “Change password on next login” under the User ID itself. How is the “Change password on next login” option under the User ID ever supposed to be used?

I really didn’t want to use the MyDevices because you could add or change MAC addresses in the system by mistake. The guest portal seemed like a harmless portal to allow the users to change their password.

Thanks for your feedback.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎08-23-2016 01:10 PM

From what I understand the Guest Portal flow does not change internal user passwords. So you will need to use my devices or sponsor portal for example. You could do some customization to hide everything and make it into a password change portal.  If you're looking for a dedicated password change flow then please reach out to the ISE Product Marketing Team through your local account team to ask for a feature

Go to solution
paul
Level 10
Level 10
In response to Jason Kunst

‎08-23-2016 03:41 PM

Thanks Jason. I ended up using the MyDevices Portal and customized it and put “Do Not Use” on the various fields and buttons. Close enough.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to paul

‎08-24-2016 09:22 AM

you can also remove items, here is a sample on how we removed tabs. play around more you can repurpose more if you like

ISE MyDevices Portal customization (remove the column for pending/register state)

How to hide buttons on the sponsor portal

Go to solution
mmintz001
Level 1
Level 1
In response to paul

‎10-18-2018 08:07 AM

How do the users get routed to the Portal to change their expired TACACS passwords?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to mmintz001

‎10-18-2018 08:11 AM

TACACs has no mechanism to redirect to a portal. You would need to automate something to email them if possible using APIs. Sounds like you're looking for something more enterprise related. For example an AD account management platform.
0 Helpful

Go to solution
mmintz001
Level 1
Level 1
In response to Jason Kunst

‎10-18-2018 08:25 AM

Definitely looking for an Enterprise solution. We are migrating from Cisco ACS where we currently have a Portal (locally created) for users to reset passwords. We were looking for something similar with ISE.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to mmintz001

‎10-18-2018 08:40 AM

Did you see this?
https://community.cisco.com/t5/identity-services-engine-ise/ise-password-change-portal-ucp-with-my-devices-portal/td-p/3475680

If you need better support reach out to the account team and our product marketing for feature enhancement

Go to solution
ROBERTO GIANA
Level 4
Level 4
In response to Jason Kunst

‎11-10-2017 01:50 AM

Are there plans to support something like the UCP service on the ACS? Because misusing the MyDevices portal is an interessting idea. But that does not support to change the enable password.

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ROBERTO GIANA

‎11-10-2017 04:17 AM

Please ask through sales channel to the ISE product marketing team for feature request

0 Helpful

Go to solution
Akin Utku
Level 1
Level 1

‎01-05-2022 04:29 PM

Hi guys, this seems an old thread but still is a requirement.  Has this been addressed in any way that you are aware?  

Needed requirements are:

1) Expiring passwords need to be notified and a URL provided for change password (Could be the "My Devices" portal)

2) Portal needs to support "user must change password at next login" 

3) Portal needs to support changing of password and enable password. 

 

Any ideas?  Thank you so much! 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents