04-27-2021 03:33 PM - edited 04-27-2021 03:59 PM
Hi ,
We have a set of 5 nodes in our deployment and we are facing issue while logging into their CLI via "admin" credentials.
Error : "Access Denied".
Note :
We are using the correct password configured for the admin account and which was changed in the month of December of 2020 and made changes with the creds even at March 2021.
We have no issues with RO privileged accounts.
We have raised a TAC case for this issue and below is their response.
Query :
We haven't done any changes in password and the password policy we have also not in the image and no bugs reported for this version as per TAC.
Seems that the password gets changed automatically, Is there anyway that the password changes automatically even no policies in place and no intervention of user?
Why this happens ?
What might be the Root cause for this?
Is this is a bug behavior? If yes , what is the solution?
Is there any other way to overcome this apart from password recovery procedure since that requires a downtime in environment.
Can someone help me on these queries please?
Thanks in Advance.
Solved! Go to Solution.
04-29-2021 05:58 PM
Without another CLI account with admin role, there is no way to reset this CLI admin user without performing the password recovery as Cisco TAC suggested.
The bug I mentioned has no resolution yet. Please work with Cisco TAC and see if the password used somehow hitting this bug.
08-24-2021 02:14 PM
Hello All ,
I would like to let you know people that I have found some way to login the admin account without password recovery if the admin account is locked out.
Conditions :
The password should be remembered.
Restrictions :
Can be used only if you are having issue in logging into admin CLI even when you are trying with the correct password and below errors.
Console Error : "Account Locked out"
CLI Error : "Access Denied"
Solution :
I came across a enhancement bug which might help you in this case , bug ID : CSCvs87754
04-27-2021 10:58 PM
I don’t know much about the automatic password change.
Maybe you can check whether there is a setting to lock the account, in Administration-System-Admin Access- Lock/Suspend Setting (Of course, you need to reset the CLI and GUI passwords first)
Questions about circumventing password reset
The ISE GUI provides settings for authentication using other identity sources. After setting, you can use a similar AD account or LDAP account to login ISE GUI.
Please check the content of the pdf file for the setting method
This may reduce the possibility of not being able to log in to ise
HTH
04-27-2021 11:54 PM
Hi Ilay,
Thanks much for the response on this.
We already have an AD configured and the AD logins are good and working fine.
We do not have any issues in GUI admin accounts any any other CLI accounts , the issue is with CLI "admin" account alone.
Note :
The mentioned settings is already disabled as mentioned already.
Query :
Without the intervention of an user or policy push the password has been changed , so that we are given with error "Access Denied". Is there any known bug or any other possibility for this case.
Is it possible to rectify this issue without going for a Password Recovery ?
04-28-2021 12:56 AM
There should be no better way besides restarting and recovering the password
When the login fails, the CLI usually prompts "login incorrect",I have never seen the "Access Denied" prompt before. It seems that the admin account cannot obtain normal permissions under the CLI.
04-27-2021 11:52 PM
I want to clarify something here because it's not clear from the problem description.
The GUI admin account and the CLI admin account start off matching when you run the initial "setup" script, but they are separate and unique accounts. Adding to that, the CLI admin account is unique across nodes, it is not shared across like the single GUI admin account.
If you change the GUI admin password, this only changes it for the GUI access.
If you change the CLI admin password, then this only changes it on the node you type the commands in to.
If you have 10 nodes, and you change the CLI admin password on a single nodes CLI, then the other 9 nodes will still have their previous CLI admin password.
04-29-2021 04:19 PM
Potentially the password contains some problem characters and ISE CLI did not detect and reject it during the last update, if using the configuration command username <>. See CSCvp86397 ISE CLI password no check for special characters
04-29-2021 04:35 PM
hslai ,
Thanks or the help.
It shows that it is bug behavior.
We will give a try with the work around provided in the "Bug Search Tool".
It was working fine for past 3 months and the "admin" account has issues in recent times.
Is there any time duration for this to cause this issue ?
Is there any other way to recover password or reset the password of "admin" without a downtime?
Thanks in advance
04-29-2021 05:00 PM
Hslai ,
Is there any patch available to mitigate this bug?
If yes what is the patch.
Currently we are in 2.4 - patch 13
04-29-2021 05:58 PM
Without another CLI account with admin role, there is no way to reset this CLI admin user without performing the password recovery as Cisco TAC suggested.
The bug I mentioned has no resolution yet. Please work with Cisco TAC and see if the password used somehow hitting this bug.
08-24-2021 02:14 PM
Hello All ,
I would like to let you know people that I have found some way to login the admin account without password recovery if the admin account is locked out.
Conditions :
The password should be remembered.
Restrictions :
Can be used only if you are having issue in logging into admin CLI even when you are trying with the correct password and below errors.
Console Error : "Account Locked out"
CLI Error : "Access Denied"
Solution :
I came across a enhancement bug which might help you in this case , bug ID : CSCvs87754
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: