Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
328
Views
5
Helpful
8
Replies

can no longer ssh into the Primary Admin/Secondary MnT node

Go to solution
adamscottmaster2013
Level 4
Level 4

‎07-02-2025 05:50 PM

My ISE cluster is 3.3 patch-4.  Everything is working, and I can GUI and SSH into ALL nodes with the exception of SSH into the PAN node.  I was able to ssh into it yesterday but today it stopped working and I received this message:

Pre-authentication banner message from server:

| Your account has expired; please contact your system administrator.

End of banner message from server

I need to be able to ssh into the PAN.  All the password policy is NOT lockout/suspend account.  How do I go about in resolving this issue?  I can use mount the DVD to reset the password but in this case, it is telling me that the account is "expired" so this is definitely different.

Help!!!

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
adamscottmaster2013
Level 4
Level 4
In response to marce1000

‎07-18-2025 07:41 AM - edited ‎07-18-2025 07:42 AM

Update:  I was able to do this.  This is a known bug for version 3.3, regardless of patches.  You can do this without Cisco TAC (prefer to have TAC online but it is not needed).  Here is how to do it:

a- Mount the rescue iso on the VM,
b- Select the option “Rescue CISCO ISE system (Keyboard/Monitor)”
c- Select option “3) Skip to shell”
d- now you in shell mode, type "lsblk" to show you the system sda1, sda2, sda3, etc..
e- make dir and mount them: mkdir /mnt/sda2; mount /dev/sda2 /mnt/sda2; mkdir /mnt/sda3; mount /dev/sda3 /mnt/sda3
f- run lsblk just for the fun of it,
g- change shell with: "root /mnt/sda2
h- check the state of the account with the command: "chage -l adamscottmaster2013". The output will show you that the account expires,
i- to change it to never expire: chage -E -1 adamscottmaster2013,
j- to confirm the account is set to never expire: chage -l adamscottmaster2013
k- exit from shell
l- reboot
m- now you can ssh into the ISE with the account adamscottmaster2013 (or whatever account you created in your environment),

Hope that will help anyone with this issue from misery, LOL....

 

 

View solution in original post

8 Replies 8

Go to solution
marce1000
Hall of Fame
Hall of Fame

‎07-03-2025 01:51 AM

 

 - @adamscottmaster2013   You  could try this one first :  https://community.cisco.com/t5/network-access-control/ise-gui-login-error-quot-your-account-has-been-disabled-quot/m-p/1998905/highlight/true#M186840

                                            To me , it looks like it is related to  password not being changed within a certain (required) interval ; so password recovery  procedures may still help,

   M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
adamscottmaster2013
Level 4
Level 4

‎07-03-2025 04:01 AM

Thank you @marce1000: Usually, the message should be "the password has expired" and NOT "the account has expired".  I've run into this multiple times in the past, but the message is different this time.

0 Helpful

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to adamscottmaster2013

‎07-03-2025 04:41 AM - edited ‎07-03-2025 04:50 AM

 

  - @adamscottmaster2013   I understand , but if my argument is correct and it is also displayed when a password was not changed in time, then try password recover procedures anyway (also the message could  get changed between subsequent ISE versions  (e.g.))
                          Also , for the time being I can't see anything else to try 

   M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
adamscottmaster2013
Level 4
Level 4
In response to marce1000

‎07-04-2025 03:24 PM

Hi @marce1000:  password recovery from DVD did NOT help.  I opened a TAC case with Cisco and the TAC engineer informed me that there are several customers also experiencing this issue.  I sent them the backup configuration for them to replicate it in their lab (hopefully).  They might have to hack into the /etc/passwd and/or /etc/shadown file since ISE under the hood is Redhat Linux.  Will keep you posted.

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to adamscottmaster2013

‎07-04-2025 11:38 PM

 

   - @adamscottmaster2013     If you are using ISE  on VM nodes you might have options to change  /etc/shadow yourself :
                                                Mount the root  partition on another virtual machine

                                               Each line in /etc/shadow has 9 colon-separated fields :
                                               username:password:lastchg:min:max:warn:inactive:expire:reserved

                                               If you change that for a particular account into 
                                               username:password:lastchg:min:max:warn:inactive::

    Then the expire-info for the account is removed :   e.g.
                                                marc:$6$abc...:19909:0:99999:7:14:20000:
        change into                      marc:$6$abc...:19909:0:99999:7:14::

   

    M.


                     



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
adamscottmaster2013
Level 4
Level 4
In response to marce1000

‎07-07-2025 10:07 AM - edited ‎07-07-2025 10:08 AM

Is this method "supported" by Cisco?

0 Helpful

Go to solution
marce1000
Hall of Fame
Hall of Fame
In response to adamscottmaster2013

‎07-07-2025 10:26 AM

 

   - @adamscottmaster2013   No , officially you will need to rely on TAC access to make  the necessary modifications,

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
adamscottmaster2013
Level 4
Level 4
In response to marce1000

‎07-18-2025 07:41 AM - edited ‎07-18-2025 07:42 AM

Update:  I was able to do this.  This is a known bug for version 3.3, regardless of patches.  You can do this without Cisco TAC (prefer to have TAC online but it is not needed).  Here is how to do it:

a- Mount the rescue iso on the VM,
b- Select the option “Rescue CISCO ISE system (Keyboard/Monitor)”
c- Select option “3) Skip to shell”
d- now you in shell mode, type "lsblk" to show you the system sda1, sda2, sda3, etc..
e- make dir and mount them: mkdir /mnt/sda2; mount /dev/sda2 /mnt/sda2; mkdir /mnt/sda3; mount /dev/sda3 /mnt/sda3
f- run lsblk just for the fun of it,
g- change shell with: "root /mnt/sda2
h- check the state of the account with the command: "chage -l adamscottmaster2013". The output will show you that the account expires,
i- to change it to never expire: chage -E -1 adamscottmaster2013,
j- to confirm the account is set to never expire: chage -l adamscottmaster2013
k- exit from shell
l- reboot
m- now you can ssh into the ISE with the account adamscottmaster2013 (or whatever account you created in your environment),

Hope that will help anyone with this issue from misery, LOL....

 

 

Customers Also Viewed These Support Documents