cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1832
Views
0
Helpful
3
Replies
Manish Patel
Beginner

Password change via ISE for switch login

HI,

I am having difficulty in setting up the ISE to allow password change when a user logs onto a switch/router when their password is expired. Users dont get prompted to change the password when logging onto the switch with AD credentials.

i have checked the configurations on ISE i.e change password is enabled on the AD connection, under the default allowed access , under inner PEAP i have checked to allow password changes.

i have attached some screen shots of successfull authentication and unsuccessful authentication from the same switch with the error message too.

Do i need to put in any extra lines on the switch for RADIUS authentication/management config?

Currently all that i am doing is to login into the switch via RADIUS using AD credentials.

the radius config is

aaa new-model

aaa authentication login LOGIN-AUTH group RADIUS-GROUP local

aaa authorization exec default group RADIUS-GROUP local

aaa authorization console

aaa authentication enable default group RADIUS-GROUP enable

aaa accounting exec default start-stop group RADIUS-GROUP

aaa group server radius RADIUS-GROUP

server X.X.X.X auth-port 1812 acct-port 1813

server X.X.X.X auth-port 1812 acct-port 1813

  

radius-server host X.X.X.X auth-port 1812 acct-port 1813 key XXXXXXXXXX

radius-server host X.X.X.X.auth-port 1812 acct-port 1813 key XXXXXXXXXX

line vty 0 4

exec-timeout 15 0

logging synchronous

login authentication LOGIN-AUTH

transport input all

transport output all

3 REPLIES 3
Tarik Admani
Advocate

Mansih,

When authenticating to the switch or router for device authentication, the password authentication protocol is PAP and not PEAP. Only TACACS supports password change through device administration.

Thanks,

Tarik Admani
*Please rate helpful posts*

Manish Patel
Beginner