08-20-2014 06:47 AM - edited 03-10-2019 09:57 PM
How to get into linux shell on Cisco ISE 1.2 ???
08-20-2014 04:26 PM
Please follow the below steps.
Step 1 After the Cisco ISE installation, launch a supported product, such as PuTTY, for establishing a Secure Shell (SSH) connection to a Cisco ISE appliance.
Step 2 In the Host Name (or IP Address) field, enter the hostname (or the IP address in dotted decimal format of the Cisco ISE appliance) and click Open .
Step 3 At the login prompt, enter the CLI-admin username (admin is the default) that you configured during setup and press Enter .
Step 4 At the password prompt, enter the CLI-admin password that you configured during setup (this is user-defined and there is no default) and press Enter .
08-21-2014 08:57 AM
By default the shell is locked down and you don't have access to it outside of a few "cisco like" commands and some ISE related commands. If you want more than that you will need to install a "root patch" that can be provided by Cisco TAC.
Thank you for rating helpful posts!
08-21-2014 05:24 PM
You cannot!
03-06-2019 11:28 AM - edited 03-06-2019 11:37 AM
All you need to do is boot from a Linux disc and do the following:
*root the VM's with redhat disc*
https://www.rootusers.com/how-to-reset-root-user-password-in-centos-rhel-7/
&
https://www.rootusers.com/red-hat-certified-system-administrator-rhcsa-ex200-passed/
~~~
Boot off Centos/rhel disc
Press 1 for single user mode
# chroot /mnt/sysimage
# passwd root
! set a password now.
! allow root login with ssh so you can login with ssh after rebooting.
# vi /etc/ssh/sshd_config - remove hash on "#PermitRootLogin yes" or if "PermitRootLogin no" make it "PermitRootLogin yes"
! if Cisco ACS 5.x - you can reboot now.
# exit - exit chrooted env
# touch /.autorelabel
# reboot
! if ISE - set /etc/shadow to read-only.
# chattr +i /etc/shadow
# exit - exit chrooted env
# touch /.autorelabel
# reboot
~~~
03-09-2019 12:53 AM - edited 03-09-2019 01:01 AM
This is not something that anyone should be doing on an ISE deployment, and it won't enable a user to access root or the linux shell. ISE leverages something called ADE-OS which sits on top of RHEL. As indicated by nspasov, you access the underlying Linux CLI via TAC and the root key/root patch. This is not something Cisco provides for end user use, it is only used by TAC during troubleshooting to fix advanced issues. So even if you edit the root password, you need the root key that expires frequently, and the root patch that will work on your version.
It's also a 5 year old thread, no need to bump this.
06-12-2019 12:45 PM - edited 06-12-2019 12:49 PM
It works fine and then you can simply ssh in as root and get into bash and or then create more usernames by un-chattering /etc/shadow with chattr -i /etc/shadow. Then edit your /etc/sudoers and allow your other user-id's to do paswordless sudo commands "newuser ALL=(ALL) NOPASSWD:ALL".
However if you reboot without setting /etc/shadow back to read-only it will reset the root so all that is required is to chattr +i /etc/shadow again if you need to make user-id changes. If Cisco would fix simple things like SSH ciphers and provide a way for SSH public key then something like this would not be required.
You are correct it should not be done in a production environment but for lab purposes there is no harm.
07-28-2023 06:45 AM
The classical way of replacing "!!" in shadow with no characters works too. The advice/recommendation "DO NOT EMULATE AT HOME/AT WORK" still applies.
08-22-2014 03:45 AM
No. Not unless allowed admin access and ability to install additional software.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide