Unable to change expired AD password through wired or wireless ISE

mikeyasg · ‎11-10-2023

Hi,

we are having a problem while users try to change their expired AD password. we use Cisco Anyconnect NAM for wired network access and for wireless we use the default supplicant. Users cant change their password from both wired and wireless network. the RADIUS log shows that "User change password against Active Directory failed ". we did the following

1. check if any password policy changes on AD. there was none.

2. Check if the users are setting a policy compliant password. we have tried it ourselves with a compliant pass but same error.

3. we have tried computers without RADIUS configured on the port. it works perfectly.

4. users can authenticate with RADIUS but the issue is when they try to change password.

5. Mainly there was a change in the active directory settings related to kerberos allowed encryption types and PKU2U authentication and NTLM failing back to Null session. But with also this changes the authentication works only password change is not.

version cisco ise 3.0.0.458, windows server 2019

We the above information can you asisit me in finding a solution.

Thank You.

Arne Bier · ‎11-12-2023

Sounds odd. Has it ever worked in the past?

I don't really use this myself, but perhaps you can check these two items in ISE.

Is this enabled in ISE?

And maybe this too?

mikeyasg · ‎11-13-2023

@Arne Bier Thank you for your response. The "Enable Password Change " has been selected and users have been successfully changing their password until recently. Allow password change retries has been set to maximum on all allowed protocols.

Arne Bier · ‎11-13-2023

Wow - OK. I searched a bit on PKU2U but I don't understand Microsoft to that level of detail. I don't think there are any other knobs in ISE that we can tune - seems that the AD changes that were made have this unwanted side effect.