cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25084
Views
21
Helpful
17
Replies

ISE CLI Password not working

dot1x
Level 3
Level 3

Hi,

I ran into this issue where I can log into ISE GUI with Admin username 'n password (internal). When I use the same user/password on CLI, I get an error 'Access Denied'.

Could someone please assist?

Thanks.

1 Accepted Solution

Accepted Solutions

Primary PAN is used to configure the Deployment but only via the PAN GUI - not via the PAN CLI ;-)  The CLI is locally significant only.

You need CLI access to all of your ISE nodes for maintenance purposes (IP routing changes, etc.).  If you are not planning to make any changes to the other nodes' CLI config (ADE-OS config) then don't bother resetting them.  But there may come the day where you do need those credentials.  I typically ensure that the admin CLI password is the same across all nodes.  It's a manual process to perform this (log into each node and use the password command).

View solution in original post

17 Replies 17

Arne Bier
VIP
VIP

admin (web GUI, aka "application" user) is not related to the CLI admin.

you can reset the application admin password via the CLI.

you can also reset the CLI admin password via the CLI.  If you have lost the CLI admin password then you need to boot off the ISE .ISO and follow the password recovery procedure

paul
Level 10
Level 10

Most likely your admin password has a special character like $ or something in it that is bombing at the CLI login.  ISE mistakenly will let you set the password during the build process with certain special characters that just won't work.  I have had this bite a few of my customers during recent installs.

I don't remember this being a problem in earlier versions but I have (and a few of my fellow engineers) have seen this issue in 2.3.  The password works fine in the GUI.

Thanks for your response.

We are running version 1.3, any thoughts on that?

hslai
Cisco Employee
Cisco Employee

Please keep in mind that, during setup, ISE creates a default admin user for admin CLI and syncs it for admin web UI login. After that event, no sync between the two interfaces, if creating additional users or updating any password on one or the other admin interface.

hslai wrote:

Please keep in mind that, during setup, ISE creates a default admin user for admin CLI and syncs it for admin web UI login. After that event, no sync between the two interfaces, if creating additional users or updating any password on one or the other admin interface.

It means if someone changes the password in GUI, the CLI password would still be the same (created during setup)?

hslai
Cisco Employee
Cisco Employee

That is correct. The same the other way around, too -- updating the CLI password by CLI command "password" will not propagate to that for the admin web UI user with the same username.

hslai wrote:

That is correct. The same the other way around, too -- updating the CLI password by CLI command "password" will not propagate to that for the admin web UI user with the same username.

Does it mean we could only have 1 admin user/password for CLI?

or Can we create multiple users (both internal and using external ID source) for CLI?

hslai
Cisco Employee
Cisco Employee

ISE admin CLI users are currently internal only and additional users can be added by the configuration command username.

hslai wrote:

ISE admin CLI users are currently internal only and additional users can be added by the configuration command username.

Is there any guide to reset/recover CLI Admin Password?

Currently we are running ISE 1.3

You have to boot the VM/appliance from the .iso and then follow prompts (System Utilities) - there is a password reset option there

Arne Bier wrote:

You have to boot the VM/appliance from the .iso and then follow prompts (System Utilities) - there is a password reset option there

Thanks Arne:

I'm looking at the following doc:

ISE: Password Recovery Mechanisms - Cisco

Also, we have ISE in distributed environment.

2 x PAN (1st Pri Admin/Sec Mon, 2nd Sec Admin/Pri Mon)

2 x PSN

1 x SNS

Do I need to perform password recovery on Primary Admin PAN only?

Would it affect other nodes when I power off the Primary Admin PAN VM?

Arne Bier
VIP
VIP

Powering off the PAN won't affect the Radius/TACACS/WebAuth on the PSN's and the PSN's will continue logging to the MnT.  However.  If you're using Sponsor Portal then they won't be able to log into the Sponsor Portal because the PAN controls the master database.

The PAN admin CLI password is NOT synch'd to all the other nodes.  So you will need to perform this on all the nodes in the event where you are unable to guess the password, or even worse, are locked out on remaining nodes.

Arne Bier wrote:

The PAN admin CLI password is NOT synch'd to all the other nodes.  So you will need to perform this on all the nodes in the event where you are unable to guess the password, or even worse, are locked out on remaining nodes.

Primary PAN Admin is used to configure all other nodes, correct me if I'm wrong?

Usually we wouldn't need CLI access to other nodes, or do we?

Primary PAN is used to configure the Deployment but only via the PAN GUI - not via the PAN CLI ;-)  The CLI is locally significant only.

You need CLI access to all of your ISE nodes for maintenance purposes (IP routing changes, etc.).  If you are not planning to make any changes to the other nodes' CLI config (ADE-OS config) then don't bother resetting them.  But there may come the day where you do need those credentials.  I typically ensure that the admin CLI password is the same across all nodes.  It's a manual process to perform this (log into each node and use the password command).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: