cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

6685
Views
16
Helpful
11
Replies
Highlighted
VIP Advocate

ISE Local Accounts Password Change Method

I am working at a customer that is using ISE local accounts as the identity source for device admin credentials (i.e. TACACS for switches, routers, FWs, etc.).  I have all the policies configured without an issue.  Now I am trying to develop a method that will allow the end user to change their password after the ISE admin creates their account. 

I thought of trying to use the guest portal structure for this, but can't get it to work.  I setup a guest portal that uses the local identity store as the source sequence.  I have tried:

  1. Creating the ID and setting the ID to require password change next login
  2. Set the portal to allow the guest user to change the password after login
  3. Set the portal to require the guest user to change the password after first login

None of these seem to work.  When I set do #1 I get an internal error trying to sign into the portal.  If I remove the require password change checkbox on user ID I can get right in.  For #2 and #3 I go right to the success message without being prompted to change the password.

I am running ISE 2.1.  Any ideas on how best to allow the users to change their passwords after the ISE admin creates the account?

Thanks.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE Local Accounts Password Change Method

From what I understand the Guest Portal flow does not change internal user passwords. So you will need to use my devices or sponsor portal for example. You could do some customization to hide everything and make it into a password change portal.  If you're looking for a dedicated password change flow then please reach out to the ISE Product Marketing Team through your local account team to ask for a feature

View solution in original post

Highlighted
Cisco Employee

Re: ISE Local Accounts Password Change Method

Please ask through sales channel to the ISE product marketing team for feature request

View solution in original post

11 REPLIES 11
Highlighted
Cisco Employee

Re: ISE Local Accounts Password Change Method

Hi Paul,

Have you tried the My Devices portal?  Just be sure that the portal is configured so that internal users are allowed to change their own passwords.  Just be sure to uncheck 'require user to change password at next login' when the account is created.

Regards,

-Tim

Highlighted
VIP Advocate

Re: ISE Local Accounts Password Change Method

Tim,

The MyDevices works when I “Allow internal users to change their own passwords” but doesn’t work when I check “Change password on next login” under the User ID itself. How is the “Change password on next login” option under the User ID ever supposed to be used?

I really didn’t want to use the MyDevices because you could add or change MAC addresses in the system by mistake. The guest portal seemed like a harmless portal to allow the users to change their password.

Thanks for your feedback.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Highlighted
Cisco Employee

Re: ISE Local Accounts Password Change Method

From what I understand the Guest Portal flow does not change internal user passwords. So you will need to use my devices or sponsor portal for example. You could do some customization to hide everything and make it into a password change portal.  If you're looking for a dedicated password change flow then please reach out to the ISE Product Marketing Team through your local account team to ask for a feature

View solution in original post

Highlighted
VIP Advocate

Re: ISE Local Accounts Password Change Method

Thanks Jason. I ended up using the MyDevices Portal and customized it and put “Do Not Use” on the various fields and buttons. Close enough.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

Highlighted
Cisco Employee

Re: ISE Local Accounts Password Change Method

you can also remove items, here is a sample on how we removed tabs. play around more you can repurpose more if you like

ISE MyDevices Portal customization (remove the column for pending/register state)

How to hide buttons on the sponsor portal

Highlighted
Beginner

Re: ISE Local Accounts Password Change Method

How do the users get routed to the Portal to change their expired TACACS passwords?

Highlighted
Cisco Employee

Re: ISE Local Accounts Password Change Method

TACACs has no mechanism to redirect to a portal. You would need to automate something to email them if possible using APIs. Sounds like you're looking for something more enterprise related. For example an AD account management platform.
Highlighted
Beginner

Re: ISE Local Accounts Password Change Method

Definitely looking for an Enterprise solution. We are migrating from Cisco ACS where we currently have a Portal (locally created) for users to reset passwords. We were looking for something similar with ISE.

Highlighted
Cisco Employee

Re: ISE Local Accounts Password Change Method

Did you see this?
https://community.cisco.com/t5/identity-services-engine-ise/ise-password-change-portal-ucp-with-my-devices-portal/td-p/3475680

If you need better support reach out to the account team and our product marketing for feature enhancement
Highlighted
Enthusiast

Re: ISE Local Accounts Password Change Method

Are there plans to support something like the UCP service on the ACS? Because misusing the MyDevices portal is an interessting idea. But that does not support to change the enable password.

Highlighted
Cisco Employee

Re: ISE Local Accounts Password Change Method

Please ask through sales channel to the ISE product marketing team for feature request

View solution in original post