cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
403
Views
0
Helpful
2
Replies
Highlighted
Beginner

How to force user to change expired password (ISE)

Hi, Community!

I've met an issue with security requirements needs to be applied on wireless infrastructure built on Cisco WLC 2504 and ISE (radius, CWA, authorization policy).

The issue is how to force users, authorized by CWA and registered their devices MAC with MAB, to change password periodically (when expired)?

Expiration policy is on ISE.

Or, if there other way - show me the one, please.

Everyone's tags (5)
2 REPLIES 2
VIP Advisor

Re: How to force user to change expired password (ISE)

Hi,

 

 Does the user password database is stored on ISE? Usually the user password database is stored on Domain controller and ISE only validate users against domain. On this case, you need to create passwork policy on the domain controller.

 

 If the user passwork database is stored on ISE then take a look on this guide:

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01101.html

 

-If I helped you somehow, please, rate it as useful.-

Beginner

Re: How to force user to change expired password (ISE)

Hi!

Thanx for your answer!

 

Users and passwords are stored at ISE. A password policy is in, but I've found nothing about solution in pointed URL.

 

Extra: authorization procedure with MAB. If connecting device is in RegisteredDevices database, then PermitAccess (1), if not - then redirecting to CWA portal(2). After a new user authorized successfully thru CWA (default password user will change there) the user's device MAC registered in RegisteredDevices. On the next time flow will (1). But after some time the users (with devices in RegisteredDevices) should change their passwords. How to configure ISE to force user/device made redirect to ISE portal with change password interface (2).

CreatePlease to create content