Showing results for 
Search instead for 
Did you mean: 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Cisco Employee

Q: Is there a way to fall back from Cert-Based Admin Authentication to Username Password

Received this as an email.  Answering here:


We are actually faced with customers demand to authenticate ISE admin users by using client certificates.

I tried out this feature in virtual environment and was neither able to use local fallback user nor switch back to password-based auth.

Can you give us a hint regarding certificate base + local fallback admin access ?


There is no fail-back from Certificate Auth to Password auth.  This is because of the way that SSL Client checking works – when the web page’s SSL is configured to verify the client side & not just have a 1-way trust (normal SSL is client trusts Server, but server ignores client) then the SSL tunnel security the HTTP requires mutual authentication between the client/server.

If that mutual auth fails, the SSL tunnel cannot be formed and the page cannot be displayed in order to fail back to client auth.


Everyone's tags (3)
Cisco Employee

Re: Q: Is there a way to fall back from Cert-Based Admin Authentication to Username Password

Once cert-auth configured for ISE admin web UI access, the only way to fall back is to stop ISE and restart it with "safe" mode at ISE admin CLI. See application start

application stop ise

application start ise safe