11-08-2017 07:31 PM
Hi,
I ran into this issue where I can log into ISE GUI with Admin username 'n password (internal). When I use the same user/password on CLI, I get an error 'Access Denied'.
Could someone please assist?
Thanks.
Solved! Go to Solution.
11-21-2017 04:59 PM
Primary PAN is used to configure the Deployment but only via the PAN GUI - not via the PAN CLI ;-) The CLI is locally significant only.
You need CLI access to all of your ISE nodes for maintenance purposes (IP routing changes, etc.). If you are not planning to make any changes to the other nodes' CLI config (ADE-OS config) then don't bother resetting them. But there may come the day where you do need those credentials. I typically ensure that the admin CLI password is the same across all nodes. It's a manual process to perform this (log into each node and use the password command).
11-08-2017 10:20 PM
admin (web GUI, aka "application" user) is not related to the CLI admin.
you can reset the application admin password via the CLI.
you can also reset the CLI admin password via the CLI. If you have lost the CLI admin password then you need to boot off the ISE .ISO and follow the password recovery procedure
11-09-2017 01:00 AM
Most likely your admin password has a special character like $ or something in it that is bombing at the CLI login. ISE mistakenly will let you set the password during the build process with certain special characters that just won't work. I have had this bite a few of my customers during recent installs.
I don't remember this being a problem in earlier versions but I have (and a few of my fellow engineers) have seen this issue in 2.3. The password works fine in the GUI.
11-14-2017 02:39 PM
Thanks for your response.
We are running version 1.3, any thoughts on that?
11-09-2017 11:57 AM
Please keep in mind that, during setup, ISE creates a default admin user for admin CLI and syncs it for admin web UI login. After that event, no sync between the two interfaces, if creating additional users or updating any password on one or the other admin interface.
11-14-2017 02:41 PM
hslai wrote:
Please keep in mind that, during setup, ISE creates a default admin user for admin CLI and syncs it for admin web UI login. After that event, no sync between the two interfaces, if creating additional users or updating any password on one or the other admin interface.
It means if someone changes the password in GUI, the CLI password would still be the same (created during setup)?
11-14-2017 02:55 PM
That is correct. The same the other way around, too -- updating the CLI password by CLI command "password" will not propagate to that for the admin web UI user with the same username.
11-14-2017 03:05 PM
hslai wrote:
That is correct. The same the other way around, too -- updating the CLI password by CLI command "password" will not propagate to that for the admin web UI user with the same username.
Does it mean we could only have 1 admin user/password for CLI?
or Can we create multiple users (both internal and using external ID source) for CLI?
11-14-2017 03:08 PM
ISE admin CLI users are currently internal only and additional users can be added by the configuration command username.
11-21-2017 04:06 PM
hslai wrote:
ISE admin CLI users are currently internal only and additional users can be added by the configuration command username.
Is there any guide to reset/recover CLI Admin Password?
Currently we are running ISE 1.3
11-21-2017 04:13 PM
You have to boot the VM/appliance from the .iso and then follow prompts (System Utilities) - there is a password reset option there
11-21-2017 04:31 PM
Arne Bier wrote:
You have to boot the VM/appliance from the .iso and then follow prompts (System Utilities) - there is a password reset option there
Thanks Arne:
I'm looking at the following doc:
ISE: Password Recovery Mechanisms - Cisco
Also, we have ISE in distributed environment.
2 x PAN (1st Pri Admin/Sec Mon, 2nd Sec Admin/Pri Mon)
2 x PSN
1 x SNS
Do I need to perform password recovery on Primary Admin PAN only?
Would it affect other nodes when I power off the Primary Admin PAN VM?
11-21-2017 04:37 PM
Powering off the PAN won't affect the Radius/TACACS/WebAuth on the PSN's and the PSN's will continue logging to the MnT. However. If you're using Sponsor Portal then they won't be able to log into the Sponsor Portal because the PAN controls the master database.
The PAN admin CLI password is NOT synch'd to all the other nodes. So you will need to perform this on all the nodes in the event where you are unable to guess the password, or even worse, are locked out on remaining nodes.
11-21-2017 04:50 PM
Arne Bier wrote:
The PAN admin CLI password is NOT synch'd to all the other nodes. So you will need to perform this on all the nodes in the event where you are unable to guess the password, or even worse, are locked out on remaining nodes.
Primary PAN Admin is used to configure all other nodes, correct me if I'm wrong?
Usually we wouldn't need CLI access to other nodes, or do we?
11-21-2017 04:59 PM
Primary PAN is used to configure the Deployment but only via the PAN GUI - not via the PAN CLI ;-) The CLI is locally significant only.
You need CLI access to all of your ISE nodes for maintenance purposes (IP routing changes, etc.). If you are not planning to make any changes to the other nodes' CLI config (ADE-OS config) then don't bother resetting them. But there may come the day where you do need those credentials. I typically ensure that the admin CLI password is the same across all nodes. It's a manual process to perform this (log into each node and use the password command).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide