Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
1
Helpful
4
Replies

ISE CLI denies access 2 days after changing password

Eric R. Jones
Level 4
Level 4

‎10-17-2023 05:41 PM

So we changed our passwords on the ISE nodes for CLI. Lets say we did this on Monday morning. We are able to login all day Monday but come Tuesday or Wednesday we are denied access at the CLI level, the GUI is fine. From that day forward we are unable to access the device. We then reload the device say Thursday or Friday of that week and the new password fails but the original password used after initialization and changing from the default works. So Cisco123 is the default and we changed it say 6 months ago when we built the node. We have done several password changes since then but it doesn't remember any of those just the first new password. This issue eventually affects all 4 nodes and some point. We have also run into the issue where, out of the blue,  it will ask us for the old password as if we are initiating a password change.

We have ACAS scans run on our network and thought this may be a factor. We have ruled that out because the node hasn't been scanned since the last password change. 

Anyone else have these Shinanigans going on?

ej

0 Helpful
4 Replies 4

ammahend
VIP
VIP

‎10-17-2023 06:58 PM

whats the version and patch, have you checked the release notes for any open caveat already ?

-hope this helps-
0 Helpful

Eric R. Jones
Level 4
Level 4
In response to ammahend

‎10-17-2023 09:44 PM

We are on 3.2.0.542 and just moved up to patch 3 yesterday.

We have found nothing in the Admin guide, release notes or via google search.

 

0 Helpful

ammahend
VIP
VIP
In response to Eric R. Jones

‎10-18-2023 03:35 AM - edited ‎10-18-2023 03:37 AM

seems buggy, sound somewhat similar to CSCwd73787, would recommend opening TAC case since this caveat is resolved in your patch, but its not uncommon for bugs to reappear.

-hope this helps-
0 Helpful

adamscottmaster2013
Level 3
Level 3
In response to ammahend

‎10-18-2023 05:28 AM

It is likely that you might have Qualys or other scanners in your environment and it keeps trying to log into the ISE and the ISE will disable the account after that.  If I were you, I would do this on the ISE:

ciscoise001/admin#configure t
Entering configuration mode terminal
ciscoise001/admin(config)#password-policy
ciscoise001/admin(config-password-policy)#no password-lock-enabled
ciscoise001/admin(config-password-policy)#end
ciscoise001/admin#

This will prevent your CLI account from being locked out.  Give that a try

 

Customers Also Viewed These Support Documents