09-01-2012 10:32 AM - edited 03-10-2019 07:29 PM
Hi all,
We have implemented cisco ISE 1.1 since one week and we notice that Microsoft active directory user can't change there password when it expired.
We store all user account in Microsoft active directory for authentication and ISE is mapped with Microsoft active directory. Normaly, when your password expired Microsoft active directory ask you to change your password but in our case cisco switch or 802.1x dont allow the communcation with active directory before giving access to the network. Is it a configuration mistake or cisco don't support this ?
Best regards.
Solved! Go to Solution.
09-17-2013 05:56 AM
09-01-2012 10:39 AM
Hi,
Can you see if the "Enable Password Change" option is set in the Active Directory settings"
Administration > Identity Management > External Identity Stores > Active Directory > Advanced Settings.
Thanks,
Tarik Admani
*Please rate helpful posts*
09-01-2012 10:54 AM
Hi,
I check and it's well enable. there are the current settings:
Passwod change is enable
Machine authentication is enable
Machine access restriction is enable
6 hours for Aging time.
Thanks.
09-01-2012 11:13 AM
Hi,
Are you using the "Default Network Access" as your "Allowed Protocols" in your condition for you AD authentication policy?
If so can you see if the "Allow Password Change" is checked in the allowed protocols condition by going to:
Policy Elements > Results > Authentication > Allowed Protocols > (for example) Default Network Access > Allow PEAP > PEAP Inner Methods > Make sure the allowed password change is set.
Thanks,
Tarik Admani
*Please rate helpful posts*
09-01-2012 11:39 AM
Hi,
As we are using Microsoft PEAP protocol on destop, i see that << Allow Password change >> is well enable but <
Could i change <
Best regards.
09-01-2012 11:41 AM
You can do that also if you could post a screenshot of the authentication failed message from ISE, does it mention that the failed reason was to the password expiration or bad password?
Thanks,
Tarik Admani
*Please rate helpful posts*
05-07-2014 02:03 PM
I hate to bring up an old post but we are having the same issue with iPad's. I have checked all of the password settings mentioned here and all are set to allow password change. Has anyone resolved this issue?
Thanks,
Joe
05-08-2014 04:58 AM
I don't think the Ipad supplicant supports changing your password using peap.
09-03-2014 05:04 AM
09-17-2013 05:56 AM
Hi,
I'm having the same problem, did you find a solution ?
Thanks
09-19-2013 05:44 AM
Hi oussama,
You can check at Policy--->Policy Elements--->Results-->Authentication--->Allowed Protocols
and you can edit the defaut profile and allow changing password.
Best regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Has anyone found a solution to date for this problem? The allow password change is enabled anywhere possible. On ISE I get the following message:
Event:
5411 Supplicant stopped responding to ISE
Failure reason:
24407 User authentication against Active Directory failed since user is required to change his password.
On my Android (Samsung S5) I never get the pop-up to change the AD password.
btw: I am on ISE version: 1.2.0.899
Manodj