cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

8603
Views
10
Helpful
9
Replies
kirubashankarr
Beginner

Admin account of ISE CLI has issues with credentials

Hi ,

 

We have a set of 5 nodes in our deployment and we are facing issue while logging into their CLI via "admin" credentials.

 

Error : "Access Denied".

 

Note :

 

We are using the correct password configured for the admin account and which was changed in the month of December of 2020 and made changes with the creds even at March 2021.

 

We have no issues with RO privileged accounts.

 

We have raised a TAC case for this issue and below is their response.

 

 

  • ISE version 2.4 patch 13 VM deployment
  • ISE cli admin password when logging in show access denied , which references we are giving a wrong password at the time of login .
  • We checked the password policy from the GUI and confirmed no settings were enabled for password expiry or account disable .
  • We checked the change config audit report to see if the password was changed by any user in last 30 days but we were not able to find any logs for the same in the reports .
  • As a next plan we will have to reset the password with the steps shown in the previous email from the ISO file .

Query :

 

We haven't done any changes in password and the password policy we have also not in the image and no bugs reported for this version as per TAC.

 

Seems that the password gets changed automatically, Is there anyway that the password changes automatically even no policies in place and no intervention of user?

 

Why this happens ?

 

What might be the Root cause for this?

 

Is this is a bug behavior? If yes , what is the solution?

 

Is there any other way to overcome this apart from password recovery procedure since that requires a downtime in environment.

 

Can someone help me on these queries please?

 

Thanks in Advance.

2 ACCEPTED SOLUTIONS

Accepted Solutions
hslai
Cisco Employee

Without another CLI account with admin role, there is no way to reset this CLI admin user without performing the password recovery as Cisco TAC suggested.

The bug I mentioned has no resolution yet. Please work with Cisco TAC and see if the password used somehow hitting this bug.

View solution in original post

kirubashankarr
Beginner

Hello All ,

 

I would like to let you know people that I have found some way to login the admin account without password recovery if the admin account is locked out.

 

Conditions :

 

The password should be remembered.

 

Restrictions :

 

Can be used only if you are having issue in logging into admin CLI even when you are trying with the correct password and below errors. 

 

Console Error : "Account Locked out"

CLI Error : "Access Denied"

 

Solution :

 

I came across a enhancement bug which might help you in this case , bug ID : CSCvs87754

View solution in original post

9 REPLIES 9
ilay
Rising star

I don’t know much about the automatic password change.
Maybe you can check whether there is a setting to lock the account, in Administration-System-Admin Access- Lock/Suspend Setting (Of ​​course, you need to reset the CLI and GUI passwords first)

 

Questions about circumventing password reset
The ISE GUI provides settings for authentication using other identity sources. After setting, you can use a similar AD account or LDAP account to login ISE GUI.
Please check the content of the pdf file for the setting method
This may reduce the possibility of not being able to log in to ise

 

HTH

Hi Ilay,

 

Thanks much for the response on this.

 

We already have an AD configured and the AD logins are good and working fine.

 

We do not have any issues in GUI admin accounts any any other CLI accounts , the issue is with CLI "admin" account alone.

 

Note :

 

The mentioned settings is already disabled as mentioned already.

 

Query :

 

Without the intervention of an user or policy push the password has been changed , so that we are given with error "Access Denied". Is there any known bug or any other possibility for this case.

 

Is it possible to rectify this issue without going for a Password Recovery ?

There should be no better way besides restarting and recovering the password
When the login fails, the CLI usually prompts "login incorrect",I have never seen the "Access Denied" prompt before. It seems that the admin account cannot obtain normal permissions under the CLI. 

Damien Miller
VIP Advisor

I want to clarify something here because it's not clear from the problem description. 

The GUI admin account and the CLI admin account start off matching when you run the initial "setup" script, but they are separate and unique accounts. Adding to that, the CLI admin account is unique across nodes, it is not shared across like the single GUI admin account.

If you change the GUI admin password, this only changes it for the GUI access.

If you change the CLI admin password, then this only changes it on the node you type the commands in to.

 

If you have 10 nodes, and you change the CLI admin password on a single nodes CLI, then the other 9 nodes will still have their previous CLI admin password. 

hslai
Cisco Employee

Potentially the password contains some problem characters and ISE CLI did not detect and reject it during the last update, if using the configuration command username <>. See CSCvp86397 ISE CLI password no check for special characters

 

hslai ,

 

Thanks or the help.

 

It shows that it is  bug behavior.

 

We will give a try with the work around provided in the "Bug Search Tool".

 

It was working fine for past 3 months and the "admin" account has issues in recent times.

 

Is there any time duration for this to cause this issue ?

 

Is there any other way to recover password or reset the password of "admin" without a downtime?

 

Thanks in advance

 

Hslai ,

 

Is there any patch available to mitigate this bug?

 

If yes what is the patch.

 

Currently we are in 2.4 - patch 13

hslai
Cisco Employee

Without another CLI account with admin role, there is no way to reset this CLI admin user without performing the password recovery as Cisco TAC suggested.

The bug I mentioned has no resolution yet. Please work with Cisco TAC and see if the password used somehow hitting this bug.

View solution in original post

kirubashankarr
Beginner

Hello All ,

 

I would like to let you know people that I have found some way to login the admin account without password recovery if the admin account is locked out.

 

Conditions :

 

The password should be remembered.

 

Restrictions :

 

Can be used only if you are having issue in logging into admin CLI even when you are trying with the correct password and below errors. 

 

Console Error : "Account Locked out"

CLI Error : "Access Denied"

 

Solution :

 

I came across a enhancement bug which might help you in this case , bug ID : CSCvs87754

View solution in original post

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel