Solved: Users can't change password since 802.1x and ISE implementation

silvere81 · ‎09-01-2012

Hi all,

We have implemented cisco ISE 1.1 since one week and we notice that Microsoft active directory user can't change there password when it expired.

We store all user account in Microsoft active directory for authentication and ISE is mapped with Microsoft active directory. Normaly, when your password expired Microsoft active directory ask you to change your password but in our case cisco switch or 802.1x dont allow the communcation with active directory before giving access to the network. Is it a configuration mistake or cisco don't support this ?

Best regards.

Oussama Mbarek · ‎09-17-2013

Hi,

I'm having the same problem, did you find a solution ?

Thanks

View solution in original post

Tarik Admani · ‎09-01-2012

Hi,

Can you see if the "Enable Password Change" option is set in the Active Directory settings"

Administration > Identity Management > External Identity Stores > Active Directory > Advanced Settings.

Thanks,

Tarik Admani
*Please rate helpful posts*

silvere81 · ‎09-01-2012

Hi,

I check and it's well enable. there are the current settings:

Passwod change is enable

Machine authentication is enable

Machine access restriction is enable

6 hours for Aging time.

Thanks.

Tarik Admani · ‎09-01-2012

Hi,

Are you using the "Default Network Access" as your "Allowed Protocols" in your condition for you AD authentication policy?

If so can you see if the "Allow Password Change" is checked in the allowed protocols condition by going to:

Policy Elements > Results > Authentication > Allowed Protocols > (for example) Default Network Access > Allow PEAP > PEAP Inner Methods > Make sure the allowed password change is set.

Thanks,

Tarik Admani
*Please rate helpful posts*

silvere81 · ‎09-01-2012

Hi,

As we are using Microsoft PEAP protocol on destop, i see that << Allow Password change >> is well enable but <> value is put to 1.

Could i change <> value to 3.

Best regards.

Tarik Admani · ‎09-01-2012

You can do that also if you could post a screenshot of the authentication failed message from ISE, does it mention that the failed reason was to the password expiration or bad password?

Thanks,

Tarik Admani
*Please rate helpful posts*

joeharb · ‎05-07-2014

I hate to bring up an old post but we are having the same issue with iPad's. I have checked all of the password settings mentioned here and all are set to allow password change. Has anyone resolved this issue?

Thanks,

Joe

jan.nielsen · ‎05-08-2014

I don't think the Ipad supplicant supports changing your password using peap.

m.bisoen · ‎09-03-2014

Has anyone found a solution to date for this problem? The allow password change is enabled anywhere possible. On ISE I get the following message:

Event:

5411 Supplicant stopped responding to ISE

Failure reason:

24407 User authentication against Active Directory failed since user is required to change his password.

On my Android (Samsung S5) I never get the pop-up to change the AD password.

btw: I am on ISE version: 1.2.0.899

Manodj

Oussama Mbarek · ‎09-17-2013

Hi,

I'm having the same problem, did you find a solution ?

Thanks

silvere81 · ‎09-19-2013

Hi oussama,

You can check at Policy--->Policy Elements--->Results-->Authentication--->Allowed Protocols

and you can edit the defaut profile and allow changing password.

Best regards.