Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2456
Views
0
Helpful
3
Replies

Password change via ISE for switch login

Manish Patel
Level 1
Level 1

‎10-01-2012 08:57 PM - edited ‎03-10-2019 07:37 PM

HI,

I am having difficulty in setting up the ISE to allow password change when a user logs onto a switch/router when their password is expired. Users dont get prompted to change the password when logging onto the switch with AD credentials.

i have checked the configurations on ISE i.e change password is enabled on the AD connection, under the default allowed access , under inner PEAP i have checked to allow password changes.

i have attached some screen shots of successfull authentication and unsuccessful authentication from the same switch with the error message too.

Do i need to put in any extra lines on the switch for RADIUS authentication/management config?

Currently all that i am doing is to login into the switch via RADIUS using AD credentials.

the radius config is

aaa new-model

aaa authentication login LOGIN-AUTH group RADIUS-GROUP local

aaa authorization exec default group RADIUS-GROUP local

aaa authorization console

aaa authentication enable default group RADIUS-GROUP enable

aaa accounting exec default start-stop group RADIUS-GROUP

aaa group server radius RADIUS-GROUP

server X.X.X.X auth-port 1812 acct-port 1813

server X.X.X.X auth-port 1812 acct-port 1813

  

radius-server host X.X.X.X auth-port 1812 acct-port 1813 key XXXXXXXXXX

radius-server host X.X.X.X.auth-port 1812 acct-port 1813 key XXXXXXXXXX

line vty 0 4

exec-timeout 15 0

logging synchronous

login authentication LOGIN-AUTH

transport input all

transport output all

Labels:
Preview file
124 KB
0 Helpful
3 Replies 3

Tarik Admani
VIP Alumni
VIP Alumni

‎10-01-2012 09:35 PM

Mansih,

When authenticating to the switch or router for device authentication, the password authentication protocol is PAP and not PEAP. Only TACACS supports password change through device administration.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Manish Patel
Level 1
Level 1
In response to Tarik Admani

‎10-02-2012 05:36 PM

Hi Tarik

Can this be altered to use PEAP rather than PAP for switch login

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni

‎10-02-2012 06:41 PM

No you can not change the login algorithm to peap on routers or switches.

Sent from Cisco Technical Support Android App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents