Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
894
Views
0
Helpful
2
Replies

cisco ise 2.4 patch 6 CLI AAA command

Go to solution
baker82
Level 1
Level 1

‎03-07-2019 03:57 PM - edited ‎03-07-2019 04:31 PM

I have a question regarding the aaa cli option within ISE 2.4 patch 4+ 

Can someone tell me what this option is for? 

I checked the CLI reference guide but it doesnt give any information. It doesnt look available in the base 2.4. It looks like it was added in a patch.

 

I have a single CLI admin user, and the cli password policy requires password expiration every 45 days. This is bad because i have to go in and reset the password manually.

 

I want to use an automation account to change this CLI admin users password prior to its expiration. 

 

is this possible with ISE 2.4 ?

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-07-2019 09:06 PM

There are no API's that would allow you to change the CLI admin password. Because it is standard SSH though, you could write a script to complete this. It would obviously be dependent on some automation server that is always available to sit the script on.

 

2.6 introduces AD CLI admin authentication. So in the future when you upgrade (I wouldn't right now) you could look forward to using AD accounts to manage the CLI functions. At the end of the day though, a backup local account will still have the same password policy and password change requirements you dictate.

 

I'm assuming you are referring to this command below. It's actually documented in prime which leverages the same ADE-OS shell that ISE does. I've never seen it used or mentioned in the ISE docs, I just know it hasn't worked on ISE.

 

Use example from prime docs.
"aaa authentication tacacs+ server TACACS server address key plain shared-key"
"username tacacsuser password remote role admin"

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-07-2019 09:06 PM

There are no API's that would allow you to change the CLI admin password. Because it is standard SSH though, you could write a script to complete this. It would obviously be dependent on some automation server that is always available to sit the script on.

 

2.6 introduces AD CLI admin authentication. So in the future when you upgrade (I wouldn't right now) you could look forward to using AD accounts to manage the CLI functions. At the end of the day though, a backup local account will still have the same password policy and password change requirements you dictate.

 

I'm assuming you are referring to this command below. It's actually documented in prime which leverages the same ADE-OS shell that ISE does. I've never seen it used or mentioned in the ISE docs, I just know it hasn't worked on ISE.

 

Use example from prime docs.
"aaa authentication tacacs+ server TACACS server address key plain shared-key"
"username tacacsuser password remote role admin"

0 Helpful

Go to solution
baker82
Level 1
Level 1
In response to Damien Miller

‎03-11-2019 10:14 AM

Thanks Damien!

0 Helpful
Customers Also Viewed These Support Documents