In this article, I want to point out something that could save you time in the future and potentially save you a TAC case.
Note: This article is perfect for environments where you wish to keep the same password for local user accounts.
The Cisco Identity Services Engine (ISE) comes packed with many good features, some of which include handy default security features for local user accounts and in this article, I will touch on one of those features.
By default, Cisco ISE will disable local user accounts after 60 days if the account passwords haven’t been changed. This behaviour can be changed within ISE but if you choose not to change this setting and you surpass the 60 days all user account will need to be re-enabled every 24-hours. Luckily ISE will allow you to disable this setting without having to change all the passwords for the local users, to do this follow the steps below.
- Log into ISE using the GUI
- Navigate to Administration >>> Identity Management >>> Identities – Verify the local accounts have been re-enabled
- Navigate to Administration >>> Identity Management >>> Settings >>> User Authentication Settings – This is where we will disable the default password lifetime. Deselect the radio button as shown in the image below and click save
That’s it! Now unless explicitly disabled, your local user accounts shouldn’t be found in a disable state again.