Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
192
Views
1
Helpful
2
Replies

"Change Password" functionality

rezaalikhani
Level 3
Level 3

‎04-18-2024 02:57 AM - edited ‎05-02-2024 10:14 AM

Hi all;

I have several questions regarding the 'Change Password' functionality in various areas of ISE because there is little or no useful guidance on this topic from Cisco...

As far as I know, there are two places in ISE where you we can manage the "Password Change" operation:

1. From Administration -> Identity Management -> External Identity Sources -> Advanced Settings -> Enable Password Change

2. From Policy -> Policy Elements -> Results -> Allowed Protocols Services -> Default Network Access -> Allow PEAP -> Allow Password Change

Now my questions:

1. Do these options relate to each other?

2. What should happen under normal conditions when these options are enabled?

3. In the second option, what does "Retries" mean?

4. In the second option, it appears the "Retires" field does not relates to the "Allow Password Change" option. Now, how we can interpret that when we disable "Allow Password Change" option and configure the "Retires" option to 2?

Thanks

1 person had this problem
2 Replies 2

rezaalikhani
Level 3
Level 3

‎05-02-2024 10:13 AM - edited ‎05-02-2024 10:14 AM

Hi;

Although these options are introduced from early releases in ISE, unfortunately there are very limited docs published by Cisco for them. Can anyone from Cisco ISE team can add other explanation which help use how to utilize these options?

Thanks

0 Helpful

lohan
Cisco Employee
Cisco Employee
In response to rezaalikhani

‎05-05-2024 08:48 PM

Hi rezaalikhani,

These two password reset options are totally different roles in ISE actually.

 

The first one:

A Cisco ISE admin needs a mechanism to prevent Active Directory account lockout because of too many bad password attempts. You can configure the Bad Password Count attribute to prevent a lockout. Before sending the authentication to Active Directory, Cisco ISE should check if there are enough attempts left.

 

Before authenticating a user, Cisco ISE compares the maximum bad password attempts configured in Cisco ISE with the current value of the badPwdCount attribute on the Active Directory. When the maximum bad password attempts configured in Cisco ISE is equal to the value of the badPwdCount attribute, the authentication is dropped and not sent to the Active Directory.

 

The Second one:

Allow Password Change: Check this check box for Cisco ISE to support password changes.

Retry Attempts: Specifies how many times Cisco ISE requests user credentials before returning login failure. Valid values are 0-3.

Hope these message can help you.

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Network Analytics (formerly known as StealthWatch) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Best Regards,
Henry

0 Helpful
Customers Also Viewed These Support Documents