Cisco ISE is used to manage Cisco network devices. PAM has been configured to use a master Active Directory Service Account leveraging Cisco ISE to manage Cisco network device local login user passwords. The local accounts are not allowed login by default, and therefore cannot be configured to verify their own password. They will be able to login only when there is a problem using the AD accounts.
PAM specifically documents the "Verify through other account" option for login accounts (user EXEC), e.g. on page https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4-3/implementing/protect-privileged-account-credentials/add-target-accounts-to-target-applications/cisco-ssh-target-account-configuration.html.
We find that we are able to update the local account password using the AD account configured in PAM, but the account verification always fails.
This is a limitation in the Cisco network devices. There is no "switch user" (su) command available that one account could use to verify the password of another account. Therefore PAM has the verification hardcoded to fail. This is required for the password update process to succeed. The update process always starts out with an attempt to verify the new password. If PAM did not fail that first step, it would store the new password without actually changing it on the Cisco target device.
Applies to any PAM release as of Mar 2021.
There is no good solution to the problem. If the account is able to login, configure it with option "Verify using own credentials". If the use case discussed above applies, and the account cannot verify its own password during normal operation, the best way to deal with it is to exempt such accounts from any password verification jobs, and to avoid manual verifications as well. As long as password updates are successful, the account should remain in a Verified state and be available for logon when needed.