Solved: ISE:Radius Authentication User ID_About Setting Individual Password Expiration

Translator · ‎02-03-2025

I would like to inform you whether it is possible to set a password lifetime policy for individual NW authentication user IDs in ISE.

------------------------------------------------------------------------------------------------ [Environment] Login authentication of NW equipment is performed by Radius authentication in ISE (version:3.1.0.518). No external AD servers are used.

(1) We have registered multiple IDs for Radius authentication of NW devices, and we are planning to set a password expiration policy in [Administration] > [Identity Management] > [Settings] > [User Authentication Settings]. Is it correct to recognize that it is still impossible to set a password expiration date only for individual IDs and to exclude other IDs (password indefinite) as in the following query?

Solved: Re: ISE Internal User Account - Never Expire - Cisco Community

(2) In addition, Administration > Identity Management> Identities> Users can set the account disabling policy for individual users. If you know that this setting takes precedence over the (1) policy set in global, we would like to cooperate with you. 　　　　　　　　　　　　　　　　　(If you set a password disabling policy individually, it will be a question from the desire to be happy if you are not eligible for the password lifetime set in global.) ) Cisco Identity Services Engine Release 3.1 Administrator's Guide - Asset Visibility [Cisco Identity Services Engine] - Cisco

------------------------------------------------------------------------------------------------ Other ways that individual password expiration policy settings are possible (create identity groups, policy settings for each group, etc.)? If you have any, I would be grateful if you could teach me.

We apologize for any inconvenience this may cause you.

Translator · ‎02-17-2025

Organize the images you want to achieve.
If you specify "Remaining days" in Password Lifetime for the individual user you want to do
The Default (60) at the global level is automatically referenced and is consistent for all users.
As an alternative, I wonder whether the user's individual "direct deadline" (YYYY-MM-DD) specification is effective.

(1) Specify the number of days remaining <<<< This is what I want to do originally
· User A is 30 days
· User B is 90 days
→ However, the remaining days cannot be specified individually on a per-user basis and are shared by referencing the global level
Global level: Change password every [ 60 ] days (valid range 1 to 3650):

(2) YYYY-MM-DD) <<<<< Alternatives
· User A reached 2025-01-23
· User B must be 2025-12-31

When I actually try the direct time limit (YYYY-MM-DD) of (2) in my validation environment
The user-specific Account Disable Policy setting takes precedence.
Status: Enabled => Disabled).
The method of checking was to specify the most recent date and check if there was a change in Status over the days. (Validated in v3.3.0.430)

View solution in original post

Translator · ‎02-17-2025

Organize the images you want to achieve.
If you specify "Remaining days" in Password Lifetime for the individual user you want to do
The Default (60) at the global level is automatically referenced and is consistent for all users.
As an alternative, I wonder whether the user's individual "direct deadline" (YYYY-MM-DD) specification is effective.

(1) Specify the number of days remaining <<<< This is what I want to do originally
· User A is 30 days
· User B is 90 days
→ However, the remaining days cannot be specified individually on a per-user basis and are shared by referencing the global level
Global level: Change password every [ 60 ] days (valid range 1 to 3650):

(2) YYYY-MM-DD) <<<<< Alternatives
· User A reached 2025-01-23
· User B must be 2025-12-31

When I actually try the direct time limit (YYYY-MM-DD) of (2) in my validation environment
The user-specific Account Disable Policy setting takes precedence.
Status: Enabled => Disabled).
The method of checking was to specify the most recent date and check if there was a change in Status over the days. (Validated in v3.3.0.430)