topic Re: You cannot! in Network Access Control

How to get into linux shell on Cisco ISE 1.2 ??

Ambuj M — Mon, 11 Mar 2019 04:57:16 GMT

How to get into linux shell on Cisco ISE 1.2 ???

Please follow the below steps

Ravi Singh — Wed, 20 Aug 2014 23:26:21 GMT

Please follow the below steps.

Step 1 After the Cisco ISE installation, launch a supported product, such as PuTTY, for establishing a Secure Shell (SSH) connection to a Cisco ISE appliance.

Step 2 In the Host Name (or IP Address) field, enter the hostname (or the IP address in dotted decimal format of the Cisco ISE appliance) and click Open .

Step 3 At the login prompt, enter the CLI-admin username (admin is the default) that you configured during setup and press Enter .

Step 4 At the password prompt, enter the CLI-admin password that you configured during setup (this is user-defined and there is no default) and press Enter .

By default the shell is

nspasov — Thu, 21 Aug 2014 15:57:41 GMT

By default the shell is locked down and you don't have access to it outside of a few "cisco like" commands and some ISE related commands. If you want more than that you will need to install a "root patch" that can be provided by Cisco TAC.

Thank you for rating helpful posts!

You cannot!

Saurav Lodh — Fri, 22 Aug 2014 00:24:12 GMT

You cannot!

No. Not unless allowed admin

Venkatesh Attuluri — Fri, 22 Aug 2014 10:45:30 GMT

No. Not unless allowed admin access and ability to install additional software.

Re: You cannot!

alextomko — Wed, 06 Mar 2019 19:37:23 GMT

All you need to do is boot from a Linux disc and do the following:

*root the VM's with redhat disc*

https://www.rootusers.com/how-to-reset-root-user-password-in-centos-rhel-7/
&
https://www.rootusers.com/red-hat-certified-system-administrator-rhcsa-ex200-passed/
~~~
Boot off Centos/rhel disc
Press 1 for single user mode
# chroot /mnt/sysimage
# passwd root

! set a password now.

! allow root login with ssh so you can login with ssh after rebooting.
# vi /etc/ssh/sshd_config - remove hash on "#PermitRootLogin yes" or if "PermitRootLogin no" make it "PermitRootLogin yes"

! if Cisco ACS 5.x - you can reboot now.

# exit - exit chrooted env
# touch /.autorelabel

# reboot

! if ISE - set /etc/shadow to read-only.

# chattr +i /etc/shadow

# exit - exit chrooted env
# touch /.autorelabel

# reboot
~~~

Re: You cannot!

Damien Miller — Sat, 09 Mar 2019 09:01:46 GMT

This is not something that anyone should be doing on an ISE deployment, and it won't enable a user to access root or the linux shell. ISE leverages something called ADE-OS which sits on top of RHEL. As indicated by nspasov, you access the underlying Linux CLI via TAC and the root key/root patch. This is not something Cisco provides for end user use, it is only used by TAC during troubleshooting to fix advanced issues. So even if you edit the root password, you need the root key that expires frequently, and the root patch that will work on your version.

It's also a 5 year old thread, no need to bump this.

Re: You cannot!

alextomko — Wed, 12 Jun 2019 19:49:19 GMT

It works fine and then you can simply ssh in as root and get into bash and or then create more usernames by un-chattering /etc/shadow with chattr -i /etc/shadow. Then edit your /etc/sudoers and allow your other user-id's to do paswordless sudo commands "newuser ALL=(ALL) NOPASSWD:ALL".

However if you reboot without setting /etc/shadow back to read-only it will reset the root so all that is required is to chattr +i /etc/shadow again if you need to make user-id changes. If Cisco would fix simple things like SSH ciphers and provide a way for SSH public key then something like this would not be required.

You are correct it should not be done in a production environment but for lab purposes there is no harm.

Re: You cannot!

Gioacchino — Fri, 28 Jul 2023 13:45:32 GMT

The classical way of replacing "!!" in shadow with no characters works too. The advice/recommendation "DO NOT EMULATE AT HOME/AT WORK" still applies.