Solved: User Can't change Password even we enable Allow password change

oum-odom · ‎06-19-2025

Hello Cisco ISE lover,

Currently, we have inquiry related to user AD can't change the password once it expired. It look like the secure client agent or what else block the connection access to AD, but what we notice from PC has status "Password Change Successfully" but not yet sync to AD.

Please kindly share your solution which able allow user to change password by themselves.
Thank you,

wajidhassan · ‎06-26-2025

Hey @oum-odom,

Yes, you can allow LDAP access without using a fallback VLAN by modifying your ISE policy to permit limited access during the pre-auth phase. In your ISE authorization rules, create a condition that detects users with expired passwords (or failed PEAP-MSCHAPv2 due to "change password required") and apply a special dACL (Downloadable ACL) that only allows traffic to your domain controllers on LDAP (389) or LDAPS (636).

This way, users can reach AD just enough to change their password, without giving full network access or switching VLANs.

View solution in original post

Enes Simnica · ‎06-20-2025

good day G. the classic password sync headache LOL! Would be a good start to try the / essentials first: check if secure client is blocking LDAP (389/636) to your DCs. Then/ have users clear Credential Manager caches and try changing via Ctrlaltdel on wired. If using CoA, verify policies aren't interrupting the change. and if no result, try: nltest /sc_reset might help. Thats all i can think for now......

hope it helps G..

-Enes

more Cisco?!
more Gym?!

oum-odom · ‎06-24-2025

What is nltest /sc_reset? @Enes Simnica

wajidhassan · ‎06-24-2025

Hey @oum-odom,

This usually happens because when a user's AD password expires, the device can’t reach the domain controller properly over 802.1X. Secure Client or ISE policies might block LDAP (389/636) before full authentication, causing the password change to fail syncing with AD.

Make sure the device has access to the domain controller before authentication, either by allowing limited pre-auth access or using a fallback VLAN for expired-password scenarios. Also, ensure the Ctrl+Alt+Del password change method is used on a wired connection where possible.

Lastly, if the machine’s trust with the domain is broken, running nltest /sc_reset can help re-establish the secure channel. nltest /sc_reset is a Windows command that resets the secure channel between the PC and Active Directory. If trust is broken between the PC and the domain, this helps restore it and can fix sync issues after password changes.

oum-odom · ‎06-25-2025

Is there any solution to allow LDAP without creating fallback VLAN?

wajidhassan · ‎06-26-2025

Hey @oum-odom,

Yes, you can allow LDAP access without using a fallback VLAN by modifying your ISE policy to permit limited access during the pre-auth phase. In your ISE authorization rules, create a condition that detects users with expired passwords (or failed PEAP-MSCHAPv2 due to "change password required") and apply a special dACL (Downloadable ACL) that only allows traffic to your domain controllers on LDAP (389) or LDAPS (636).

This way, users can reach AD just enough to change their password, without giving full network access or switching VLANs.