Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14685
Views
11
Helpful
9
Replies

Admin account of ISE CLI has issues with credentials

Go to solution
kirubashankarr
Level 1
Level 1

‎04-27-2021 03:33 PM - edited ‎04-27-2021 03:59 PM

Hi ,

 

We have a set of 5 nodes in our deployment and we are facing issue while logging into their CLI via "admin" credentials.

 

Error : "Access Denied".

 

Note :

 

We are using the correct password configured for the admin account and which was changed in the month of December of 2020 and made changes with the creds even at March 2021.

 

We have no issues with RO privileged accounts.

 

We have raised a TAC case for this issue and below is their response.

 

 

  • ISE version 2.4 patch 13 VM deployment
  • ISE cli admin password when logging in show access denied , which references we are giving a wrong password at the time of login .
  • We checked the password policy from the GUI and confirmed no settings were enabled for password expiry or account disable .
  • We checked the change config audit report to see if the password was changed by any user in last 30 days but we were not able to find any logs for the same in the reports .
  • As a next plan we will have to reset the password with the steps shown in the previous email from the ISO file .

Query :

 

We haven't done any changes in password and the password policy we have also not in the image and no bugs reported for this version as per TAC.

 

Seems that the password gets changed automatically, Is there anyway that the password changes automatically even no policies in place and no intervention of user?

 

Why this happens ?

 

What might be the Root cause for this?

 

Is this is a bug behavior? If yes , what is the solution?

 

Is there any other way to overcome this apart from password recovery procedure since that requires a downtime in environment.

 

Can someone help me on these queries please?

 

Thanks in Advance.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-29-2021 05:58 PM

Without another CLI account with admin role, there is no way to reset this CLI admin user without performing the password recovery as Cisco TAC suggested.

The bug I mentioned has no resolution yet. Please work with Cisco TAC and see if the password used somehow hitting this bug.

View solution in original post

0 Helpful

Go to solution
kirubashankarr
Level 1
Level 1

‎08-24-2021 02:14 PM

Hello All ,

 

I would like to let you know people that I have found some way to login the admin account without password recovery if the admin account is locked out.

 

Conditions :

 

The password should be remembered.

 

Restrictions :

 

Can be used only if you are having issue in logging into admin CLI even when you are trying with the correct password and below errors. 

 

Console Error : "Account Locked out"

CLI Error : "Access Denied"

 

Solution :

 

I came across a enhancement bug which might help you in this case , bug ID : CSCvs87754

View solution in original post

9 Replies 9

Go to solution
ilay
VIP
VIP

‎04-27-2021 10:58 PM

I don’t know much about the automatic password change.
Maybe you can check whether there is a setting to lock the account, in Administration-System-Admin Access- Lock/Suspend Setting (Of ​​course, you need to reset the CLI and GUI passwords first)

 

Questions about circumventing password reset
The ISE GUI provides settings for authentication using other identity sources. After setting, you can use a similar AD account or LDAP account to login ISE GUI.
Please check the content of the pdf file for the setting method
This may reduce the possibility of not being able to log in to ise

 

HTH

Preview file
621 KB
0 Helpful

Go to solution
kirubashankarr
Level 1
Level 1
In response to ilay

‎04-27-2021 11:54 PM

Hi Ilay,

 

Thanks much for the response on this.

 

We already have an AD configured and the AD logins are good and working fine.

 

We do not have any issues in GUI admin accounts any any other CLI accounts , the issue is with CLI "admin" account alone.

 

Note :

 

The mentioned settings is already disabled as mentioned already.

 

Query :

 

Without the intervention of an user or policy push the password has been changed , so that we are given with error "Access Denied". Is there any known bug or any other possibility for this case.

 

Is it possible to rectify this issue without going for a Password Recovery ?

0 Helpful

Go to solution
ilay
VIP
VIP
In response to kirubashankarr

‎04-28-2021 12:56 AM

There should be no better way besides restarting and recovering the password
When the login fails, the CLI usually prompts "login incorrect",I have never seen the "Access Denied" prompt before. It seems that the admin account cannot obtain normal permissions under the CLI. 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-27-2021 11:52 PM

I want to clarify something here because it's not clear from the problem description. 

The GUI admin account and the CLI admin account start off matching when you run the initial "setup" script, but they are separate and unique accounts. Adding to that, the CLI admin account is unique across nodes, it is not shared across like the single GUI admin account.

If you change the GUI admin password, this only changes it for the GUI access.

If you change the CLI admin password, then this only changes it on the node you type the commands in to.

 

If you have 10 nodes, and you change the CLI admin password on a single nodes CLI, then the other 9 nodes will still have their previous CLI admin password. 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-29-2021 04:19 PM

Potentially the password contains some problem characters and ISE CLI did not detect and reject it during the last update, if using the configuration command username <>. See CSCvp86397 ISE CLI password no check for special characters

 

Go to solution
kirubashankarr
Level 1
Level 1
In response to hslai

‎04-29-2021 04:35 PM

hslai ,

 

Thanks or the help.

 

It shows that it is  bug behavior.

 

We will give a try with the work around provided in the "Bug Search Tool".

 

It was working fine for past 3 months and the "admin" account has issues in recent times.

 

Is there any time duration for this to cause this issue ?

 

Is there any other way to recover password or reset the password of "admin" without a downtime?

 

Thanks in advance

 

0 Helpful

Go to solution
kirubashankarr
Level 1
Level 1
In response to hslai

‎04-29-2021 05:00 PM

Hslai ,

 

Is there any patch available to mitigate this bug?

 

If yes what is the patch.

 

Currently we are in 2.4 - patch 13

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-29-2021 05:58 PM

Without another CLI account with admin role, there is no way to reset this CLI admin user without performing the password recovery as Cisco TAC suggested.

The bug I mentioned has no resolution yet. Please work with Cisco TAC and see if the password used somehow hitting this bug.

0 Helpful

Go to solution
kirubashankarr
Level 1
Level 1

‎08-24-2021 02:14 PM

Hello All ,

 

I would like to let you know people that I have found some way to login the admin account without password recovery if the admin account is locked out.

 

Conditions :

 

The password should be remembered.

 

Restrictions :

 

Can be used only if you are having issue in logging into admin CLI even when you are trying with the correct password and below errors. 

 

Console Error : "Account Locked out"

CLI Error : "Access Denied"

 

Solution :

 

I came across a enhancement bug which might help you in this case , bug ID : CSCvs87754

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents