Resetting Admin Password on a Cisco ISE Appliance
A great little “feature” of Cisco’s Identity Services Engine is that out of the box, the administrator account expires after 45 days if the password is not changed during that time. The documentation says that if you have trouble logging in you should click the “Problem logging in?” link and use the default administrative user/pass. This is of course ridiculous and does not work.
Below are the steps for properly resetting an admin password and for changing the security policy so the lockout doesn’t happen again.
Unlock the Admin
The unlock process is really a password recovery and works a lot like password recovery on an IOS device. You need console access to the appliance and the ISE software DVD/ISO. A reboot is required.
ISE systems can be installed on dedicated server hardware or as virtual appliances under VMware vSphere. The box in my lab was a virtual appliance so these steps are going to reflect console access and rebooting of a VM.
#1 – Reboot from ISE DVD/ISO
To get to the recovery console, the appliance needs to be booted from the ISE installation media. I had the ISO image handy so I used that. Now under vSphere, when the VM reboots, any media that was attached prior to the reboot is disconnected. The trick is to have the console window for the VM open in vSphere Client and hit the key when you see the VMware BIOS screen. With the machine sitting in the BIOS, it gives you time to reattach the ISE ISO to the DVD drive before the OS starts to load up.
Connect to ISO image on local disk
Also while in the BIOS, adjust the boot device order so it hits the CD-ROM drive before the hard drive.
CD-ROM before Hard Drive
If you’re doing a recovery on a physical appliance, you’ll probably still want to check your boot device order and also set it to boot from CD/DVD drive first.
Save your BIOS changes and boot the machine.
#2 – Reset Admin CLI Password
When the machine boots from the ISE DVD it will display a number of boot options.
ISE Boot Menu
If the appliance is a VM or is a physical appliance with a keyboard/mouse attached, choose #3. If the appliance is accessed via a serial console, choose #4.
The recovery menu now appears and asks which admin account to recover.
ISE Password Recovery Screen
Choose the account and enter a new password. This password will be used to log in on the appliance’s console. It does not work on the web UI.
Reboot the appliance now, making sure to eject/disconnect the DVD/ISO image so that it boots normally.
#3 – Reset the ISE GUI Admin Password
With the appliance booted normally, log in on the console using the password that was set in step #2. Remember: the console admin account is different than the web UI admin account. They have the same username but can have different passwords. Use the command “application reset-passwd ise admin” to set a new web UI admin password.
Reset ISE Web UI Password
The screenshot above shows other options that can be used with the “application” command.
The web UI should now be accessible using the password that was just set.
Change the Password Lockout Policy
The default password policy says that admin accounts will be locked out if their passwords are not changed once every 45 days.
ISE Admin Lockout Policy
This can be adjusted in Administration, System, Admin Access. Expand the Settings folder and highlight Password Policy.
ISE Password Policy Screen
The admin Password Policy page location has changed in ISE 1.1.x! It’s now Administration > System > Admin Access > Authentication > Password Policy. More info at this cisco.com link.
A great little “feature” of Cisco’s Identity Services Engine is that out of the box, the administrator account expires after 45 days if the password is not changed during that time. The documentation says that if you have trouble logging in you should click the “Problem logging in?” link and use the default administrative user/pass. This is of course ridiculous and does not work.
Below are the steps for properly resetting an admin password and for changing the security policy so the lockout doesn’t happen again.
Unlock the Admin
The unlock process is really a password recovery and works a lot like password recovery on an IOS device. You need console access to the appliance and the ISE software DVD/ISO. A reboot is required.
ISE systems can be installed on dedicated server hardware or as virtual appliances under VMware vSphere. The box in my lab was a virtual appliance so these steps are going to reflect console access and rebooting of a VM.
#1 – Reboot from ISE DVD/ISO
To get to the recovery console, the appliance needs to be booted from the ISE installation media. I had the ISO image handy so I used that. Now under vSphere, when the VM reboots, any media that was attached prior to the reboot is disconnected. The trick is to have the console window for the VM open in vSphere Client and hit the
Connect to ISO image on local disk
Also while in the BIOS, adjust the boot device order so it hits the CD-ROM drive before the hard drive.
CD-ROM before Hard Drive
If you’re doing a recovery on a physical appliance, you’ll probably still want to check your boot device order and also set it to boot from CD/DVD drive first.
Save your BIOS changes and boot the machine.
#2 – Reset Admin CLI Password
When the machine boots from the ISE DVD it will display a number of boot options.
ISE Boot Menu
If the appliance is a VM or is a physical appliance with a keyboard/mouse attached, choose #3. If the appliance is accessed via a serial console, choose #4.
The recovery menu now appears and asks which admin account to recover.
ISE Password Recovery Screen
Choose the account and enter a new password. This password will be used to log in on the appliance’s console. It does not work on the web UI.
Reboot the appliance now, making sure to eject/disconnect the DVD/ISO image so that it boots normally.
#3 – Reset the ISE GUI Admin Password
With the appliance booted normally, log in on the console using the password that was set in step #2. Remember: the console admin account is different than the web UI admin account. They have the same username but can have different passwords. Use the command “application reset-passwd ise admin” to set a new web UI admin password.
Reset ISE Web UI Password
The screenshot above shows other options that can be used with the “application” command.
The web UI should now be accessible using the password that was just set.
Change the Password Lockout Policy
The default password policy says that admin accounts will be locked out if their passwords are not changed once every 45 days.
ISE Admin Lockout Policy
This can be adjusted in Administration, System, Admin Access. Expand the Settings folder and highlight Password Policy.
ISE Password Policy Screen
The admin Password Policy page location has changed in ISE 1.1.x! It’s now Administration > System > Admin Access > Authentication > Password Policy. More info at this cisco.com link.
yyc25160760 发表于 2014-8-25 10:57
最近在客户现场遇到ISE admin 遗忘,CLI和web都无法登录,重置解决办法分享给大家。
非常感谢楼主分享:handshake 希望大家多多帮助大家 :)
