How to force user to change expired password (ISE)

Iontzev · ‎12-20-2017

Hi, Community!

I've met an issue with security requirements needs to be applied on wireless infrastructure built on Cisco WLC 2504 and ISE (radius, CWA, authorization policy).

The issue is how to force users, authorized by CWA and registered their devices MAC with MAB, to change password periodically (when expired)?

Expiration policy is on ISE.

Or, if there other way - show me the one, please.

Flavio Miranda · ‎12-20-2017

Hi,

Does the user password database is stored on ISE? Usually the user password database is stored on Domain controller and ISE only validate users against domain. On this case, you need to create passwork policy on the domain controller.

If the user passwork database is stored on ISE then take a look on this guide:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01101.html

-If I helped you somehow, please, rate it as useful.-

Iontzev · ‎12-20-2017

Hi!

Thanx for your answer!

Users and passwords are stored at ISE. A password policy is in, but I've found nothing about solution in pointed URL.

Extra: authorization procedure with MAB. If connecting device is in RegisteredDevices database, then PermitAccess (1), if not - then redirecting to CWA portal(2). After a new user authorized successfully thru CWA (default password user will change there) the user's device MAC registered in RegisteredDevices. On the next time flow will (1). But after some time the users (with devices in RegisteredDevices) should change their passwords. How to configure ISE to force user/device made redirect to ISE portal with change password interface (2).