topic Re: can no longer ssh into the Primary Admin/Secondary MnT node in Network Access Control

can no longer ssh into the Primary Admin/Secondary MnT node

adamscottmaster2013 — Thu, 03 Jul 2025 00:50:04 GMT

My ISE cluster is 3.3 patch-4. Everything is working, and I can GUI and SSH into ALL nodes with the exception of SSH into the PAN node. I was able to ssh into it yesterday but today it stopped working and I received this message:

Pre-authentication banner message from server:

| Your account has expired; please contact your system administrator.

End of banner message from server

I need to be able to ssh into the PAN. All the password policy is NOT lockout/suspend account. How do I go about in resolving this issue? I can use mount the DVD to reset the password but in this case, it is telling me that the account is "expired" so this is definitely different.

Help!!!

Re: can no longer ssh into the Primary Admin/Secondary MnT node

Mark Elsen — Thu, 03 Jul 2025 08:51:10 GMT

- @adamscottmaster2013 You could try this one first : https://community.cisco.com/t5/network-access-control/ise-gui-login-error-quot-your-account-has-been-disabled-quot/m-p/1998905/highlight/true#M186840

To me , it looks like it is related to password not being changed within a certain (required) interval ; so password recovery procedures may still help,

Re: can no longer ssh into the Primary Admin/Secondary MnT node

adamscottmaster2013 — Thu, 03 Jul 2025 11:01:53 GMT

Thank you @Mark Elsen: Usually, the message should be "the password has expired" and NOT "the account has expired". I've run into this multiple times in the past, but the message is different this time.

Re: can no longer ssh into the Primary Admin/Secondary MnT node

Mark Elsen — Thu, 03 Jul 2025 11:50:57 GMT

- @adamscottmaster2013 I understand , but if my argument is correct and it is also displayed when a password was not changed in time, then try password recover procedures anyway (also the message could get changed between subsequent ISE versions (e.g.))
Also , for the time being I can't see anything else to try

Re: can no longer ssh into the Primary Admin/Secondary MnT node

adamscottmaster2013 — Fri, 04 Jul 2025 22:24:10 GMT

Hi @Mark Elsen: password recovery from DVD did NOT help. I opened a TAC case with Cisco and the TAC engineer informed me that there are several customers also experiencing this issue. I sent them the backup configuration for them to replicate it in their lab (hopefully). They might have to hack into the /etc/passwd and/or /etc/shadown file since ISE under the hood is Redhat Linux. Will keep you posted.

Re: can no longer ssh into the Primary Admin/Secondary MnT node

Mark Elsen — Sat, 05 Jul 2025 06:38:17 GMT

- @adamscottmaster2013 If you are using ISE on VM nodes you might have options to change /etc/shadow yourself :
Mount the root partition on another virtual machine

Each line in /etc/shadow has 9 colon-separated fields :
username:password:lastchg:min:max:warn:inactive:expire:reserved

If you change that for a particular account into
username:password:lastchg:min:max:warn:inactive::

Then the expire-info for the account is removed : e.g.
marc:$6$abc...:19909:0:99999:7:14:20000:
change into marc:$6$abc...:19909:0:99999:7:14::

Re: can no longer ssh into the Primary Admin/Secondary MnT node

adamscottmaster2013 — Mon, 07 Jul 2025 17:08:40 GMT

Is this method "supported" by Cisco?

Re: can no longer ssh into the Primary Admin/Secondary MnT node

Mark Elsen — Mon, 07 Jul 2025 17:26:06 GMT

- @adamscottmaster2013 No , officially you will need to rely on TAC access to make the necessary modifications,

Re: can no longer ssh into the Primary Admin/Secondary MnT node

adamscottmaster2013 — Fri, 18 Jul 2025 14:42:47 GMT

Update: I was able to do this. This is a known bug for version 3.3, regardless of patches. You can do this without Cisco TAC (prefer to have TAC online but it is not needed). Here is how to do it:

a- Mount the rescue iso on the VM,
b- Select the option “Rescue CISCO ISE system (Keyboard/Monitor)”
c- Select option “3) Skip to shell”
d- now you in shell mode, type "lsblk" to show you the system sda1, sda2, sda3, etc..
e- make dir and mount them: mkdir /mnt/sda2; mount /dev/sda2 /mnt/sda2; mkdir /mnt/sda3; mount /dev/sda3 /mnt/sda3
f- run lsblk just for the fun of it,
g- change shell with: "root /mnt/sda2
h- check the state of the account with the command: "chage -l adamscottmaster2013". The output will show you that the account expires,
i- to change it to never expire: chage -E -1 adamscottmaster2013,
j- to confirm the account is set to never expire: chage -l adamscottmaster2013
k- exit from shell
l- reboot
m- now you can ssh into the ISE with the account adamscottmaster2013 (or whatever account you created in your environment),

Hope that will help anyone with this issue from misery, LOL....