Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Users can't change password since 802.1x and ISE implementation

Hi all,

We have implemented cisco ISE 1.1 since one week and we notice that Microsoft active directory user can't change there password when it expired.

We store all user account in Microsoft active directory for authentication and ISE is mapped with Microsoft active directory. Normaly, when your password expired Microsoft active directory ask you to change your password but in our case cisco switch or 802.1x dont allow the communcation with active directory before giving access to the network. Is it a configuration mistake or cisco don't support this ?

Best regards.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Users can't change password since 802.1x and ISE implementation

Hi,

I'm having the same problem, did you find a solution ?

Thanks

10 REPLIES

Users can't change password since 802.1x and ISE implementation

Hi,

Can you see if the "Enable Password Change" option is set in the Active Directory settings"

Administration > Identity Management > External Identity Stores > Active Directory > Advanced Settings.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Users can't change password since 802.1x and ISE implementation

Hi,

I check and it's well enable. there are the current settings:

Passwod change is enable

Machine authentication is enable

Machine access restriction is enable

6 hours for Aging time.

Thanks.

Users can't change password since 802.1x and ISE implementation

Hi,

Are you using the "Default Network Access" as your "Allowed Protocols" in your condition for you AD authentication policy?

If so can you see if the "Allow Password Change" is checked in the allowed protocols condition by going to:

Policy Elements > Results > Authentication > Allowed Protocols > (for example) Default Network Access > Allow PEAP > PEAP Inner Methods > Make sure the allowed password change is set.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

Users can't change password since 802.1x and ISE implementation

Hi,

As we are using Microsoft PEAP protocol on destop, i see that << Allow Password change >> is well enable but <> value is put to 1.

Could i change <> value to 3.

Best regards.

Users can't change password since 802.1x and ISE implementation

You can do that also if you could post a screenshot of the authentication failed message from ISE, does it mention that the failed reason was to the password expiration or bad password?

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

I hate to bring up an old

I hate to bring up an old post but we are having the same issue with iPad's.  I have checked all of the password settings mentioned here and all are set to allow password change.  Has anyone resolved this issue?

Thanks,

 

Joe

 

I don't think the Ipad

I don't think the Ipad supplicant supports changing your password using peap.

New Member

Has anyone found a solution

Has anyone found a solution to date for this problem? The allow password change is enabled anywhere possible. On ISE I get the following message:

Event:

5411 Supplicant stopped responding to ISE

Failure reason:

24407 User authentication against Active Directory failed since user is required to change his password.

On my Android (Samsung S5) I never get the pop-up to change the AD password.

btw: I am on ISE version: 1.2.0.899

Manodj

New Member

Users can't change password since 802.1x and ISE implementation

Hi,

I'm having the same problem, did you find a solution ?

Thanks

New Member

Users can't change password since 802.1x and ISE implementation

Hi oussama,

You can check at Policy--->Policy Elements--->Results-->Authentication--->Allowed Protocols

and you can edit the defaut profile and allow changing password.

Best regards.

3325
Views
6
Helpful
10
Replies