cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
189
Views
0
Helpful
1
Replies

Unable to change expired AD password during the second attempt

Hi,

We are using a Cisco ISE 2.1 which is connected to AD in order to authenticate users. Client's AD policy forces users to change their password every 45 days.

PEAP (MS-CHAP v2) is the EAP used protocol, we are enabling change password in AD tab and retries value is 3 for MS-CHAP v2 PEAP.

So our issue is when we enter a new non-compliant password for the first time and we want to enter a compliant one after (matches required AD password complexity).

In this case, we are noticing that password change is not made and we are unable to login even with the old password.

Cisco ISE logs are showing two events : the first asking for a password change and the second saying that password is wrong.

Concerning switch configuration, VSA is already enabled and retries configuration under the interface is with default values.

The attached file shows traffic capture between switch and supplicant.

Did anyone encounter such issue before and could resolve it ?

1 REPLY 1
Highlighted
Beginner

Hello,

Hello,

had a similar issue. I was able to resolve it with changing the identity source sequence. If its setup like this: 1. Internal Users, 2. AD, try chaning it to 1. AD, 2. Internal Users.

This issue even exists in ISE 2.2 Patch 1.

Hope this helps in your case.

Best regards,

Markus