cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

667
Views
0
Helpful
6
Replies
AbelBurgos5029
Beginner

Cisco ISE Password Recovery

Hello everyone,

 

I need to password recovery a Cisco ISE appliance. I recently joined the company I am working at and the person who configured it did not do very well with password documentations. I have a USB with the ISE bootable ISO if that helps. It is my first time working with Cisco ISE and I just want to get some ideas before I try anything.

 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Damien Miller
VIP Advisor

I'm assuming from your suggestion of using the usb thumb drive with the ISO that you're doing this on a physical ISE appliance? If you provide us with some more details on the deployment we could possibly give some more specific advice.

This older document is still decent for the process, but some things will look a bit different.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200568-ISE-Password-Recovery-Mechanisms.html


Keep in mind that the CLI admin is not synced across the nodes, you have to reset the password on each.

The gui admin password can be set from the primary admin node cli, this only has to be done once.

Last but not least, keep in mind the impact that taking down nodes will have to users and endpoints in the environment. Depending on how ISE is deployed, and how network devices are configured, the impact could be minimal or severe.

View solution in original post

6 REPLIES 6
Damien Miller
VIP Advisor

I'm assuming from your suggestion of using the usb thumb drive with the ISO that you're doing this on a physical ISE appliance? If you provide us with some more details on the deployment we could possibly give some more specific advice.

This older document is still decent for the process, but some things will look a bit different.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200568-ISE-Password-Recovery-Mechanisms.html


Keep in mind that the CLI admin is not synced across the nodes, you have to reset the password on each.

The gui admin password can be set from the primary admin node cli, this only has to be done once.

Last but not least, keep in mind the impact that taking down nodes will have to users and endpoints in the environment. Depending on how ISE is deployed, and how network devices are configured, the impact could be minimal or severe.

View solution in original post

Hello,

Yes it is a physical appliance. Honestly I do not have many details on the deployment. I got here not long ago and I have not even been able to log into the ISE because the password was never documented. Here's the little I know so far:

 

1- It is a physical appliance and I have physical access to it.

2- I have the bootable iso in a USB.

3- Its main functionality is to serve as a TACACS server.

 

Please let me know if there is something in specific you need to know to help me and I will do some digging...

 

Thanks

If this is primarily TACACS and not end user RADIUS authentication via wireless/wired, then the impact is minimal. The primary concern is impacting end user authentication, admin user authentication can typically be absorbed fairly easily.

Follow the guide I linked, if you run in to issues then engage TAC, and they can assist with going through the process.

Thanks so much. The guide you linked is for when is done on a ISE VM I believe. Is the process the same?

Hi @AbelBurgos5029 , 

 

Yes, the process you see on the link is similar for physical as well. After you connect the USB to the appliance, reboot the server, go to the boot menu and follow the process from step 10. 

Similar to this on the SNS 3400 appliances, the graphics might look a bit different, but the process is still the same.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200568-ISE-Password-Recovery-Mechanisms.html#anc7

Instead of mapping the ISO via the KVM, you will select the usb you have the ISO mounted on.

Content for Community-Ad