Solved: Re: Cisco ISE Appliance 3655 CLI Password Recovery

AMNassiri0210 · ‎10-08-2019

Hello Cisco ISE experts,
I have a Cisco appliance 3655 which I need to perform a CLI password recovery. Our remote engineer has forgotten the password set on the CLI during the initial configuration.

Since the 3655 Appliance does not have a CD/DVD drive, how do we perform the password recovery?

Could someone please assist with a guide/procedure to get the ISO file across so we can access the boot menu.

Apparently we can not get to the CIMC portal either.

Appreciate your assistance.

Thanks.

Damien Miller · ‎10-08-2019

If you cannot access the CIMC remotely then you will have to perform this work in person with a monitor and keyboard. If you had access to the CIMC you could mount the ISO via the java or html KVM. But with you saying you can't access the CIMC then your other option is to boot the appliance from a bootable USB drive with the ISE 2.4/2.6 loaded on it. The boot menu is available outside of the CIMC during server restarts. I have heard of people having issues with booting from USB so this might now work.

Since you don't have the CIMC password youwill have to perform a CIMC password reset via the service jumpers inside. I have not done this myself on a SNS appliance so it might be advisable to preemptively open a TAC case. The process is very likely the same as the c220m5 it was built off. Look for the section titled "Using the Clear Password Header (J38, Pins 13 - 14)".
https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/hw/C220M5/install/C220M5/C220M5_chapter_010.html#task_z11_ncv_jz

I would reset the CIMC password first, then leverage the CIMC KVM to mount the ISO and reset the ISE CLI password.

View solution in original post

Damien Miller · ‎10-08-2019

If you cannot access the CIMC remotely then you will have to perform this work in person with a monitor and keyboard. If you had access to the CIMC you could mount the ISO via the java or html KVM. But with you saying you can't access the CIMC then your other option is to boot the appliance from a bootable USB drive with the ISE 2.4/2.6 loaded on it. The boot menu is available outside of the CIMC during server restarts. I have heard of people having issues with booting from USB so this might now work.

Since you don't have the CIMC password youwill have to perform a CIMC password reset via the service jumpers inside. I have not done this myself on a SNS appliance so it might be advisable to preemptively open a TAC case. The process is very likely the same as the c220m5 it was built off. Look for the section titled "Using the Clear Password Header (J38, Pins 13 - 14)".
https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/hw/C220M5/install/C220M5/C220M5_chapter_010.html#task_z11_ncv_jz

I would reset the CIMC password first, then leverage the CIMC KVM to mount the ISO and reset the ISE CLI password.

AMNassiri0210 · ‎10-09-2019

Damien, thank you so much for your prompt response. Really appreciated.
Since the server is in a remote location I cannot perform the steps as you mentioned. I have asked the team to try and get to CIMC but as they explain they cannot login to it. Perhaps the password is mistyped same as the main CLI admin.
They are going to give a try with USB so hopefully that works.
I will keep you posted.
Thanks again.

Damien Miller · ‎10-09-2019

This is the specific issue I was thinking of with USB. You don't mention if the SNS had 2.4 or 2.6 on it, but I'm not sure if it also impacts 2.6. If you left 2.6 installed on the SNS appliance, maybe it will work.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq94084

I would certainly try the CIMC default password and still work on manually resetting it in person.
user: admin
password: password or Cisco1234 - not sure which it is now.

AMNassiri0210 · ‎10-13-2019

Hi Damien, thanks again for your reply. The SNS has 2.6 installed so we are hopeful it will work, or have the CIMC access sorted so we can go that path. The remote engineers will get to it this week and I will keep you posted on the progress. Appreciate your input and options proposed.

Thanks.

vaguirre17 · ‎05-28-2020

Hey guys. Could you recover the password with the USB or DVD? I'll try but When I choose boot with the virtual device I don't have the option to change the password. So I have to install.
Actually I had no previous experience with password recovery on ISE but I don't have same options as I'd have in another appliances. I had to reimage the SNS. But I won't want to perform a reimage in a production server.

Damien Miller · ‎05-28-2020

Yes you can do it from USB, and physical dvd only if it's an older appliance with a DVD drive. For all appliances, you can mount the ISE ISO via the CIMC HTML/java KVM virtual dvd drive. The process for a password reset hasn't changed since the SNS appliances released. You go through the same process that you would to install an ISE node from the ISO, booting from the ISE, but instead of selecting option 1 to perform a fresh install, you select option 3 to run through the CLI password reset.

Welcome to Cisco Identity Services Engine - ISE
To boot from hard disk press <Enter>
Available boot options:
[1] Cisco Identity Services Engine Installation (Keyboard/Monitor)
[2] Cisco Identity Services Engine Installation (Serial Console)
[3] Reset Administrator Password (Keyboard/Monitor)
[4] Reset Administrator Password (Serial Console)
<Enter> Boot from hard disk
Please enter boot option and press <Enter>
boot: 3

vaguirre17 · ‎05-29-2020

Hello @Damien Miller thanks for your post.

Actually I tried but in the option 3 and 4 I have <utility system console and keyboard and monitor> I didn't get the reset password option for that reason I performed the reimage process.

Thanks