cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4875
Views
11
Helpful
15
Replies
Participant

ISE CLI Password not working

Hi,

I ran into this issue where I can log into ISE GUI with Admin username 'n password (internal). When I use the same user/password on CLI, I get an error 'Access Denied'.

Could someone please assist?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

Re: ISE CLI Password not working

Primary PAN is used to configure the Deployment but only via the PAN GUI - not via the PAN CLI ;-)  The CLI is locally significant only.

You need CLI access to all of your ISE nodes for maintenance purposes (IP routing changes, etc.).  If you are not planning to make any changes to the other nodes' CLI config (ADE-OS config) then don't bother resetting them.  But there may come the day where you do need those credentials.  I typically ensure that the admin CLI password is the same across all nodes.  It's a manual process to perform this (log into each node and use the password command).

15 REPLIES 15
VIP Advocate

Re: ISE CLI Password not working

admin (web GUI, aka "application" user) is not related to the CLI admin.

you can reset the application admin password via the CLI.

you can also reset the CLI admin password via the CLI.  If you have lost the CLI admin password then you need to boot off the ISE .ISO and follow the password recovery procedure

VIP Engager

Re: ISE CLI Password not working

Most likely your admin password has a special character like $ or something in it that is bombing at the CLI login.  ISE mistakenly will let you set the password during the build process with certain special characters that just won't work.  I have had this bite a few of my customers during recent installs.

I don't remember this being a problem in earlier versions but I have (and a few of my fellow engineers) have seen this issue in 2.3.  The password works fine in the GUI.

Participant

Re: ISE CLI Password not working

Thanks for your response.

We are running version 1.3, any thoughts on that?

Cisco Employee

Re: ISE CLI Password not working

Please keep in mind that, during setup, ISE creates a default admin user for admin CLI and syncs it for admin web UI login. After that event, no sync between the two interfaces, if creating additional users or updating any password on one or the other admin interface.

Highlighted
Participant

Re: ISE CLI Password not working

hslai wrote:

Please keep in mind that, during setup, ISE creates a default admin user for admin CLI and syncs it for admin web UI login. After that event, no sync between the two interfaces, if creating additional users or updating any password on one or the other admin interface.

It means if someone changes the password in GUI, the CLI password would still be the same (created during setup)?

Cisco Employee

Re: ISE CLI Password not working

That is correct. The same the other way around, too -- updating the CLI password by CLI command "password" will not propagate to that for the admin web UI user with the same username.

Participant

Re: ISE CLI Password not working

hslai wrote:

That is correct. The same the other way around, too -- updating the CLI password by CLI command "password" will not propagate to that for the admin web UI user with the same username.

Does it mean we could only have 1 admin user/password for CLI?

or Can we create multiple users (both internal and using external ID source) for CLI?

Cisco Employee

Re: ISE CLI Password not working

ISE admin CLI users are currently internal only and additional users can be added by the configuration command username.

Participant

Re: ISE CLI Password not working

hslai wrote:

ISE admin CLI users are currently internal only and additional users can be added by the configuration command username.

Is there any guide to reset/recover CLI Admin Password?

Currently we are running ISE 1.3

VIP Advocate

Re: ISE CLI Password not working

You have to boot the VM/appliance from the .iso and then follow prompts (System Utilities) - there is a password reset option there

Participant

Re: ISE CLI Password not working

Arne Bier wrote:

You have to boot the VM/appliance from the .iso and then follow prompts (System Utilities) - there is a password reset option there

Thanks Arne:

I'm looking at the following doc:

ISE: Password Recovery Mechanisms - Cisco

Also, we have ISE in distributed environment.

2 x PAN (1st Pri Admin/Sec Mon, 2nd Sec Admin/Pri Mon)

2 x PSN

1 x SNS

Do I need to perform password recovery on Primary Admin PAN only?

Would it affect other nodes when I power off the Primary Admin PAN VM?

VIP Advocate

Re: ISE CLI Password not working

Powering off the PAN won't affect the Radius/TACACS/WebAuth on the PSN's and the PSN's will continue logging to the MnT.  However.  If you're using Sponsor Portal then they won't be able to log into the Sponsor Portal because the PAN controls the master database.

The PAN admin CLI password is NOT synch'd to all the other nodes.  So you will need to perform this on all the nodes in the event where you are unable to guess the password, or even worse, are locked out on remaining nodes.

Participant

Re: ISE CLI Password not working

Arne Bier wrote:

The PAN admin CLI password is NOT synch'd to all the other nodes.  So you will need to perform this on all the nodes in the event where you are unable to guess the password, or even worse, are locked out on remaining nodes.

Primary PAN Admin is used to configure all other nodes, correct me if I'm wrong?

Usually we wouldn't need CLI access to other nodes, or do we?

VIP Advocate

Re: ISE CLI Password not working

Primary PAN is used to configure the Deployment but only via the PAN GUI - not via the PAN CLI ;-)  The CLI is locally significant only.

You need CLI access to all of your ISE nodes for maintenance purposes (IP routing changes, etc.).  If you are not planning to make any changes to the other nodes' CLI config (ADE-OS config) then don't bother resetting them.  But there may come the day where you do need those credentials.  I typically ensure that the admin CLI password is the same across all nodes.  It's a manual process to perform this (log into each node and use the password command).