Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1551
Views
15
Helpful
3
Replies

Unique password policy per internal identity group

Go to solution
russell.sage
Level 1
Level 1

‎01-28-2021 04:21 AM

Hi

Is it possible to have separate password policy for unique identity groups.

 

Ideally we want Device Administration users passwords to be renewed every 90 days. However, we have other system passwords like F5 probe account that we don't want to ever change for example.

From my understanding password policy for internal users is globally set.

1 Accepted Solution

Accepted Solutions

Go to solution
Panos Bouras
Level 1
Level 1

‎01-28-2021 07:45 AM

Hi @russell.sage 

I believe that you can't, but you can try to create a new user account in your AD and the same user in ISE, then select the user password as external in password type, pointing to your AD join point.

In your AD configure the user password expiry options.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

View solution in original post

3 Replies 3

Go to solution
Panos Bouras
Level 1
Level 1

‎01-28-2021 07:45 AM

Hi @russell.sage 

I believe that you can't, but you can try to create a new user account in your AD and the same user in ISE, then select the user password as external in password type, pointing to your AD join point.

In your AD configure the user password expiry options.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

Go to solution
thomas
Cisco Employee
Cisco Employee

‎01-28-2021 02:07 PM

The Password Policy is global for all ISE Internal Users.

Like Panos suggested, consider using AD or other external identity store for your admins - where they already have their username+password stored.

Then reserve the Internal User accounts for services like your probe(s) that never expire or have a much longer expiration.

image.png

image.png

 

 

Go to solution
russell.sage
Level 1
Level 1
In response to thomas

‎01-28-2021 02:22 PM

Hi thanks for the response. But the AD is not ours. We manage the network on behalf our customer and they don't want to create for 50+ contractors into their AD.

0 Helpful
Customers Also Viewed These Support Documents