Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Manish Patel

Password change via ISE for switch login


I am having difficulty in setting up the ISE to allow password change when a user logs onto a switch/router when their password is expired. Users dont get prompted to change the password when logging onto the switch with AD credentials.

i have checked the configurations on ISE i.e change password is enabled on the AD connection, under the default allowed access , under inner PEAP i have checked to allow password changes.

i have attached some screen shots of successfull authentication and unsuccessful authentication from the same switch with the error message too.

Do i need to put in any extra lines on the switch for RADIUS authentication/management config?

Currently all that i am doing is to login into the switch via RADIUS using AD credentials.

the radius config is

aaa new-model

aaa authentication login LOGIN-AUTH group RADIUS-GROUP local

aaa authorization exec default group RADIUS-GROUP local

aaa authorization console

aaa authentication enable default group RADIUS-GROUP enable

aaa accounting exec default start-stop group RADIUS-GROUP

aaa group server radius RADIUS-GROUP

server X.X.X.X auth-port 1812 acct-port 1813

server X.X.X.X auth-port 1812 acct-port 1813


radius-server host X.X.X.X auth-port 1812 acct-port 1813 key XXXXXXXXXX

radius-server host X.X.X.X.auth-port 1812 acct-port 1813 key XXXXXXXXXX

line vty 0 4

exec-timeout 15 0

logging synchronous

login authentication LOGIN-AUTH

transport input all

transport output all

Tarik Admani


When authenticating to the switch or router for device authentication, the password authentication protocol is PAP and not PEAP. Only TACACS supports password change through device administration.


Tarik Admani
*Please rate helpful posts*

Hi Tarik

Can this be altered to use PEAP rather than PAP for switch login

Tarik Admani

No you can not change the login algorithm to peap on routers or switches.

Sent from Cisco Technical Support Android App

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube