Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco ISE disabled all internal Network users

Hi All,


Somehow, this morning when we checked on the ISE, all the IP phone users along with the internal users are disabled. We have disabled the password policy to disable the accounts if password is not changed. Our version is 1.2 and no patches. Can anyone please advise on this.

Wireless authentication for users against AD is ok.





Everyone's tags (1)

Requiring Guests to Change

Requiring Guests to Change Password

You can allow or require guest users to change their password after their initial account credentials are created by the sponsor. If guest users change their passwords, sponsors cannot provide guests with their login credentials if they are lost. The sponsor must create a new guest account.

You can either allow guests to change their passwords, or you can require that they do it at expiration and at first login. To require internal users using a guest portal to change their password upon their next login, choose Administration > Identity Management > Identities > Users . Select the specific internal user from the Network Access Users list and enable the change password check box.

Before You Begin

Create a Guest portal or modify the DefaultGuestPortal. This setting is specific to each Guest portal.

Step 1 Choose Administration > Web Portal Management > Settings > Guest > Multi-Portal Configuration.

Step 2 Check the Guest portal to update and click Edit .

Step 3 Click the Operations tab.

Step 4 Check either or both options:

    • Allow guest users to change password
    • Require guest users to change password at expiration and first login

Step 5 Click Save .

Cisco Employee

Is this fresh installation or

Is this fresh installation or migration

Community Member

The administrator may not

  • The administrator may not have changed the AD password on after joining the Cisco ISE node to the AD domain.
  • The account used to join Cisco ISE to the Active Directory domain may have an expired password.
  • Change the account password that was used to join the AD domain after adding Cisco ISE to Active Directory.
Community Member

Hi All, When I checked there

Hi All,


When I checked there is a 60 days lock out policy which is enabled. But the strange thing is, I have created the users for less than 60 days. I have disabled the option. I have to see if this happens again!


Thanks for all your timely reply.

Community Member

Thanks for posting this. I

Thanks for posting this. I was having the same issue. 

Community Member

Re: Hi All, When I checked there

Can you confirm if disabling the "60 day option" solved your problem?

I am having the same issue regarding some sponsor users who keep getting disabled and was trying to confirm if this is a valid resolution.


CreatePlease to create content