HI,

I am having difficulty in setting up the ISE to allow password change when a user logs onto a switch/router when their password is expired. Users dont get prompted to change the password when logging onto the switch with AD credentials.

i have checked the configurations on ISE i.e change password is enabled on the AD connection, under the default allowed access , under inner PEAP i have checked to allow password changes.

i have attached some screen shots of successfull authentication and unsuccessful authentication from the same switch with the error message too.

Do i need to put in any extra lines on the switch for RADIUS authentication/management config?

Currently all that i am doing is to login into the switch via RADIUS using AD credentials.

the radius config is

aaa new-model

aaa authentication login LOGIN-AUTH group RADIUS-GROUP local

aaa authorization exec default group RADIUS-GROUP local

aaa authorization console

aaa authentication enable default group RADIUS-GROUP enable

aaa accounting exec default start-stop group RADIUS-GROUP

aaa group server radius RADIUS-GROUP

server X.X.X.X auth-port 1812 acct-port 1813

server X.X.X.X auth-port 1812 acct-port 1813

radius-server host X.X.X.X auth-port 1812 acct-port 1813 key XXXXXXXXXX

radius-server host X.X.X.X.auth-port 1812 acct-port 1813 key XXXXXXXXXX

line vty 0 4

exec-timeout 15 0

logging synchronous

login authentication LOGIN-AUTH

transport input all

transport output all