Cisco ISE Web and CLI Admin Passwords

mark373737 · ‎05-27-2015

Hi Support Community,

Probably a very stupid question!

I have an 8 node (2 x PAN, 2 x MnT, 4 x PSN) virtual ISE deployment running 1.2.0.899 and last year I stupidly forgot to change the initial default 45 days password expiration.

This meant I was locked out on the Web GUI. However I could get in on the Primary PAN CLI so I was able to recover the password using "application reset-password ise admin" without any hassle. I then extended the expiration date to a year via the GUI.

This was all fine but I noticed over the past few months that on the CLI access (rarely need to use it but just happened to notice it), six of the 8 nodes (1 Secondary PAN, Both MnT nodes and three of the four PSN's) still had the old CLI password. So for the past months I have had one common Web GUI password for ALL nodes, but two different passwords to remember for the CLI access.

Not really a problem but now on those 6 nodes ONLY , I am getting warnings when I login (16 days from expiry). I seem to recall that the CLI is held locally so I thought I would change them INDIVIDUALLY with the "application reset-password ise admin" command.

However on the first one I tried I got a failure saying you can only run the command on a node in Primary or Standalone node.

So now I'm really confused. How can I change the password when they are not Primary or Standalone?

I never really understood the password thing on ISE. Is the Web GUI admin password held centrally and synchronized across all nodes, and is the CLI admin password held locally....if so how can you change one in a distributed deployment.

Hope you can help...16 days and counting!!

Kanwaljeet Singh · ‎05-27-2015

Hi,

You would need ISE SW DVD to reset the password and you need to do that locally on the node.

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_postin
s.html#pgfId-1194396

application reset-password ise <name> only changes the GUI password.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

mark373737 · ‎05-28-2015

Hi Fnu,

Thanks for the response. I have not forgotten my password, it is just expiring. Surely I dont need to use the SW DVD every time the password expires. Will I automatically get the option to renew it once it has expired or can I be proactive?

Everything I read says the Admin CLI password is local, so how can you change that if its a node in a distributed deployment.

Regards

Mark

Kanwaljeet Singh · ‎05-28-2015

Hi Mark,

Yes it does prompt you to change the password and you can do it by directly logging into the CLI of the affected node. This will have no impact on any other device's CLI since its local.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

mark373737 · ‎05-28-2015

Hi Again Kanwal,

Thanks very much for the response. So I have to let it expire and then it will let me change it? I can't change the CLI admin password BEFORE it expires?

In summary then, the "application reset-password ise <name>" command ONLY changes the GUI password and there is NO way to change the CLI password UNTIL it expires.

Have I got that right?

Mark

Kanwaljeet Singh · ‎05-28-2015

Hi Mark,

You can but for that you will need to go back to the first link i posted where you need the DVD.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

mark373737 · ‎09-15-2015

OK, understand now. What I had failed to spot was the capability to change the CLI password on the server via the "password" command.

Thanks, must have seen an odd question as I had a command to change the Web admin password but not CLI one.

M