Solved: Re: user account in ISE keeps on disabling

bbb bbb · ‎05-15-2018

Hi Everyone,

I'm just wondering why a network access user account defined internally to ISE keeps on disabling after some time.. i even make the "account disable policy" disabled. but still, the user account keeps on disabling after some time.

In our environment, we have another machine that needs to login to Cisco switches to make necessary config automatically. our Cisco switch is configured for AAA to look for tacacs.

In Cisco ISE we configured policy for tacacs to look for active directory and internal.

The machine that is logging into our Cisco switches doesn't have an active directory account, that is why we defined a user internal to ISE.

See attached image for reference.

any advice, please

thank you and regards,

ben

Craig Hyps · ‎05-16-2018

Check password lifetime and lockout policy for failed login attempts. It may be expiring due to password change due or script is rapidly exceeding failed login attempts. Try deleting and re-entering the values expected. Also check for the fallback policy if user not found. Is ID sequence set to continue to next store if User Not Found in AD? Consider building a separate policy set for this access, or separate rule in main policy set to match this specific use case so you can set the correct ID store as first/only selection. You should see log history of failed attempts. If basic troubleshooting does not ral issue, then may need to open TAC case.

View solution in original post

hslai · ‎05-20-2018

My screenshot shows the Password Lifetime option [v] Disable user account after [ 60 ] days if password was not changed.

If you indeed set it like that, then the user will get disabled because the password not periodically updated.

Also, please try creating a new user with username all in lower case.

If none helped, please engage Cisco TAC, as we are likely needing a copy of your CFG backup to debug further.

View solution in original post

Craig Hyps · ‎05-16-2018

Check password lifetime and lockout policy for failed login attempts. It may be expiring due to password change due or script is rapidly exceeding failed login attempts. Try deleting and re-entering the values expected. Also check for the fallback policy if user not found. Is ID sequence set to continue to next store if User Not Found in AD? Consider building a separate policy set for this access, or separate rule in main policy set to match this specific use case so you can set the correct ID store as first/only selection. You should see log history of failed attempts. If basic troubleshooting does not ral issue, then may need to open TAC case.

bbb bbb · ‎05-17-2018

password lifetime for this account is disabled. ill check if there is a lockout policy set for failed login attempts.

the sequence I make is AD then Internal.

ill try to build a separate policy set for this access using the sequence to Internal only and see if it will be disabled on its own again.

thank you and regards,

ben

hslai · ‎05-17-2018

Please check the global settings of password policy and account disable policy for internal users.

bbb bbb · ‎05-20-2018

I did check, and the settings are exactly the same screenshot you posted. I checked today and the internal user account becomes disabled again.

hslai · ‎05-20-2018

My screenshot shows the Password Lifetime option [v] Disable user account after [ 60 ] days if password was not changed.

If you indeed set it like that, then the user will get disabled because the password not periodically updated.

Also, please try creating a new user with username all in lower case.

If none helped, please engage Cisco TAC, as we are likely needing a copy of your CFG backup to debug further.

bbb bbb · ‎05-22-2018

hslai wrote:

My screenshot shows the Password Lifetime option [v] Disable user account after [ 60 ] days if password was not changed.

If you indeed set it like that, then the user will get disabled because the password not periodically updated.

Yesterday, I found that the user becomes disabled again.. I uncheck the box for "Disable user account after [ 60 ] days...". today I didn't find the user account disable. Will observe it for now and see.

Thank you very much Hslai

bbb bbb · ‎05-20-2018

I did create another policy set only for the server01, this server automatically logins to network devices but doesn't have AD account (the reason we create internal user).

image01: is the original policy where the sequence is AD then Internal. with exception to Administrators (uses AD) and server01 (uses Internal).

image02: created a separate policy for server01 (Internal), and it works fine. but since it is above the "Network Devices" policy, we cannot login now to network devices using AD.

image03: Content of "Network Devices" policy. If a make this policy above "server01" policy then I can now log in to a network device using AD. but then log in to a network device using Internal will fail.

bbb bbb · ‎05-22-2018

Thank you very much Chyps