Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
484
Views
0
Helpful
1
Replies

Unable to change expired AD password during the second attempt

Abdallah Anouar
Level 1
Level 1

‎05-16-2017 03:09 AM - edited ‎03-11-2019 12:43 AM

Hi,

We are using a Cisco ISE 2.1 which is connected to AD in order to authenticate users. Client's AD policy forces users to change their password every 45 days.

PEAP (MS-CHAP v2) is the EAP used protocol, we are enabling change password in AD tab and retries value is 3 for MS-CHAP v2 PEAP.

So our issue is when we enter a new non-compliant password for the first time and we want to enter a compliant one after (matches required AD password complexity).

In this case, we are noticing that password change is not made and we are unable to login even with the old password.

Cisco ISE logs are showing two events : the first asking for a password change and the second saying that password is wrong.

Concerning switch configuration, VSA is already enabled and retries configuration under the interface is with default values.

The attached file shows traffic capture between switch and supplicant.

Did anyone encounter such issue before and could resolve it ?

Labels:
Preview file
35 KB
0 Helpful
1 Reply 1

markus.menzi
Level 1
Level 1

‎06-07-2017 06:53 AM

Hello,

had a similar issue. I was able to resolve it with changing the identity source sequence. If its setup like this: 1. Internal Users, 2. AD, try chaning it to 1. AD, 2. Internal Users.

This issue even exists in ISE 2.2 Patch 1.

Hope this helps in your case.

Best regards,

Markus

0 Helpful
Customers Also Viewed These Support Documents