Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5178
Views
0
Helpful
6
Replies

ISE 2.4 : how to remove the account expiration date along with the message :" Your password will expire in" for non admin accounts

Go to solution
ASD SOC Tata Communications
Level 1
Level 1

‎01-31-2019 01:52 AM - edited ‎03-11-2019 01:54 AM

I am running Cisco ISE 2.4 and I have just finished the migration from ACS 4.1.

Now, when people (not even admin people, just regular users) use their tacacs account to telnet/ssh, they get the message :

 

Username: xxxxxx
Password:
Authentication succeeded. Your password will expire in 3 weeks + 2 days + 6 hours + 6 Minutes

Router#

1) I don't want people to have to change their password

2) I don't want to see this message.

I went through  a lot of options ( administration, admin access, settings, password policy) , no way to get rid of that.

Any tip? 

Thanks

Regards,

Gilles

1 person had this problem
Preview file
85 KB
Preview file
46 KB
Preview file
67 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ASD SOC Tata Communications
Level 1
Level 1
In response to Arne Bier

‎01-31-2019 05:39 AM

Thanks alot. I did what you advised and now the message has disappeared, except for my account. I have the super admin privilege. Maybe it is why.

View solution in original post

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to ASD SOC Tata Communications

‎02-16-2019 02:16 PM

Likely due to CSCvf30591

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Arne Bier
VIP
VIP

‎01-31-2019 02:54 AM - edited ‎01-31-2019 02:58 AM

This is a function of the TACACS (Device Admin) and not the ISE admin (which your screen captures are showing).

I tested this in my lab and I was able to reproduce your issue.  There is a checkbox to enable the password expiration reminder - and I think there is a bug because if you uncheck that box, then the reminder is still displayed.  No way around it it.

of course, this only happens if there is an actual password expiration set on those local users.  I have not tested this with AD (not sure if this also works if the accounts live in AD - I only tested with ISE internal user accounts)

 

Oh and, if you want to stop this password expiration stuff, then just untick the box "Disable user account after"

 

ISE-TACACS-reminder.png 

 

 

TACACS Username:bob
TACACS Password:
Authentication succeeded. Your password will expire in 1 weeks + 2 days  + 23 hours  + 49 Minutes

router01#

 

 

 

0 Helpful

Go to solution
ASD SOC Tata Communications
Level 1
Level 1
In response to Arne Bier

‎01-31-2019 03:08 AM

Hi Arne,

Thanks for your answer . We use a local authentication (no AD).

If I understand, there is no way to suppress the message along with the "expiration date".

I have attached 2 new pix.

It is really annoying for people working in a NOC. And on top of this, most of them don't know how to change a tacacs password.

 

Any tip is welcomed :)

 

Thanks

Regards,

Gilles

Preview file
107 KB
Preview file
48 KB
0 Helpful

Go to solution
ASD SOC Tata Communications
Level 1
Level 1
In response to ASD SOC Tata Communications

‎01-31-2019 04:42 AM

IT is already unticked but it still shows the message.
For Information, I have already applied the patches 1 to 5 .

Version 2.4.0.357
Installed Patches 1,2,3,4,5
Product Identifier (PID) SNS-3515-K9
Version Identifier (VID) A0
Serial Number (SN) FCH2226V1MP
ADE-OS Version 3.0.4.070
0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to ASD SOC Tata Communications

‎01-31-2019 04:52 AM - edited ‎01-31-2019 05:00 AM

I think you are the proud owner of a new ISE bug :-)

 

I am also on ISE 2.4 patch 5 and I can reproduce it.  So the expiration time does play a role and there is a workaround to stop annoying your people.  Just set the "Disable user account after" to 3650 days and tick the box.  And then set the "Display reminder" to 1 and tick the box.  That will buy you some sanity and some time to get the bug raised and hopefully resolved (in ten years time!)

 

I am pretty sure this is a bug because it makes no sense otherwise.

I even deleted the user bob and it still happens.  It's not tied to the user - it's as if the password expiration just has a mind of its own.  Once it has calculated a password expiration event, it will latch that event, even if the display reminder option is then subsequently turned off.  But by toggling the value to 10 years seems to do the trick

 

I'd say raise a TAC case anyway.

0 Helpful

Go to solution
ASD SOC Tata Communications
Level 1
Level 1
In response to Arne Bier

‎01-31-2019 05:39 AM

Thanks alot. I did what you advised and now the message has disappeared, except for my account. I have the super admin privilege. Maybe it is why.
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to ASD SOC Tata Communications

‎02-16-2019 02:16 PM

Likely due to CSCvf30591

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents