Service Account Cisco ISE - Password Expiry

mariaraj41 · ‎12-05-2024

Hi All,

Need clarity on the service account password expiry.

Cisco ISE 3.2 and service account created to access the NAD

1. Could see the option password change on first login but no option to set the expiry or password change notification.

2. The global setting has the option for password change and expiry under the option "password lifetime"

But per documentation, the password can be changed only by accessing the Cisco ISE. But these account will not have access to Cisco ISE. The are created to access only the NAD.

Any suggestion how we can set password expiry and password change option for such accounts

Reference Below

You can use the Password Lifetime section to update the password reset interval and reminder. To set the lifetime of a password, check the Change password every XX days (valid range 1 to 3650) check box, and enter the number of days in the input field. A user account can be disabled if a user does not change the password in the specified time by selecting the Disable User Account option. Choose the Require password change on next login to prompt the user to change their password the next time they login to Cisco ISE.

Arne Bier · ‎12-05-2024

I don't use the forced password renewal feature, but in my Lab ISE, I have enabled it to force me to change it every day to see what happens.

A user can always change their password on any device that performs ISE TACACS+ AAA - the trick is to enter the password at the network devices login prompt, and at the password prompt, don't enter anything - just press Enter -that will cause a password renewal process. E.g.

login as: arne
Keyboard-interactive authentication prompts from server:
| Password:
| Enter Old Password:
| Enter New Password:
| Enter New Password Confirmation:
| Password complexity does not meet
End of keyboard-interactive prompts from server
Access denied
Keyboard-interactive authentication prompts from server:
| Password:
| Enter Old Password:
| Enter New Password:
| Enter New Password Confirmation:
End of keyboard-interactive prompts from server
SW1#

In my case, the user 'arne' is an ISE Internal User Account. But you can do this with an AD account too - however, the password rules of AD will be applied, not the rules configured for ISE Internal Users.

I would expect that after one day has passed, when I login to the network device, it will prompt me for a new password.

There is the possibility in ISE to re-use the same ISE useraccount (e.g. 'arne') and make it an ISE Admin account too. In this case, if that is what you have done, then this user account can be used to login to the ISE Admin GUI, and in the GUI you can change the password. But most people have separate ISE Admin accounts, from the Network Device Admin accounts - because not every AAA/TACACS+ user may need to login to ISE. You can of course restrict the ISE Admin GUI to the bare minimum for those users (e.g. show them the TACACS+ Live Logs only) - nothing wrong with that.

Arne Bier · ‎12-07-2024

It's been more than a day since I last reset the password (manually) but I have not been forced to renew it as expected.

I tested the feature under Internal User Identities to force password update after next login - that worked as expected:

login as: arne
Keyboard-interactive authentication prompts from server:
| Password:
| Enter New Password:
| Enter New Password Confirmation:
End of keyboard-interactive prompts from server
SW1#

mariaraj41 · ‎12-08-2024

Thank You Arne. This information is very helpful. Planning to test the same.