Solved: Unique password policy per internal identity group

russell.sage · ‎01-28-2021

Hi

Is it possible to have separate password policy for unique identity groups.

Ideally we want Device Administration users passwords to be renewed every 90 days. However, we have other system passwords like F5 probe account that we don't want to ever change for example.

From my understanding password policy for internal users is globally set.

Panos Bouras · ‎01-28-2021

Hi @russell.sage

I believe that you can't, but you can try to create a new user account in your AD and the same user in ISE, then select the user password as external in password type, pointing to your AD join point.

In your AD configure the user password expiry options.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

View solution in original post

Panos Bouras · ‎01-28-2021

Hi @russell.sage

I believe that you can't, but you can try to create a new user account in your AD and the same user in ISE, then select the user password as external in password type, pointing to your AD join point.

In your AD configure the user password expiry options.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

thomas · ‎01-28-2021

The Password Policy is global for all ISE Internal Users.

Like Panos suggested, consider using AD or other external identity store for your admins - where they already have their username+password stored.

Then reserve the Internal User accounts for services like your probe(s) that never expire or have a much longer expiration.

russell.sage · ‎01-28-2021

Hi thanks for the response. But the AD is not ours. We manage the network on behalf our customer and they don't want to create for 50+ contractors into their AD.