Solved: WLC9800 Lobby Admin - Password has expired

mel.novilla · ‎02-05-2025

I have an issue regarding on the Lobby Ambassador Admin of WLC9800 where the credential is configured from Cisco ISE TACACS+

Initially, it can log on successfully using the username and password configured from Cisco ISE TACACS+, however, it immediately prompt that "Password has Expired"

Confirmed that TACACS+ credential has been set to "never expires"

WLC version 17.12.4 / Cisco ISE Version 3.4 Patch 1

Scott Fella · ‎02-08-2025

You need to uncheck this check box? Do you recall how long it was working for before it stopped? You can run some debugs on the controller also to see what gets logged when you try to login to the portal with that username.

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎02-05-2025

A few things, towards the bottom on the user id in ISE, you don't have "Disable account if date exceeds" enabled? You have tried on multiple browsers just in case something got cached? If you create a new account or if you just update the password again, you still have the same issue?

-Scott
*** Please rate helpful posts ***

mel.novilla · ‎02-05-2025

"Disable account if date exceeds" is unchecked

I have tried different browsers (edge, firefox and chrome) but still the same

I have also delete the old credential and add a different one with new password but same issue.

Configured a Full Admin credential and tested working fine without this pop-up window "Your password has expired"

Any other workaround for this Lobby Admin account?

mel.novilla · ‎02-05-2025

Scott Fella · ‎02-05-2025

Well.. you ISE looks good. There is a policy setting also in ISE, but maybe that is related to just admin. Nothing in your TACACS policy or live logs you see out of the ordinary or even compare the failed with the new admin account you created.

-Scott
*** Please rate helpful posts ***

mel.novilla · ‎02-07-2025

No logs on every success of failed login

Scott Fella · ‎02-08-2025

You need to uncheck this check box? Do you recall how long it was working for before it stopped? You can run some debugs on the controller also to see what gets logged when you try to login to the portal with that username.

-Scott
*** Please rate helpful posts ***

mel.novilla · ‎02-08-2025

Thanks @Scott Fella, it is working as expected now.

Haydn Andrews · ‎02-05-2025

What does the TACACS live logs for the authentication show? Also change password on next login not ticked is it?

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

mel.novilla · ‎02-07-2025

Says nothing but i can login using the configured Full Admin credentials

Scott Fella · ‎02-05-2025

Well I decided to try to lab this out. This is what I found, so make sure you look over the policies for internal users.

-Scott
*** Please rate helpful posts ***

mel.novilla · ‎02-07-2025

Same Cisco crap thing