Solved: Re: Password Recovery on SNS-3515-K9 ISE Appliance

johnmike · ‎07-12-2019

I'm trying to do a password recovery for the CLI on our SNS-3515-K9 ISE appliance...if anyone has done a password recovery I would really appreciate it if you would share the procedures. Also....does anyone know the default password for the admin user that is configured on the appliance out of the box?

Thank You

Arne Bier · ‎07-17-2019

Hi @johnmike

There is no default admin password because during install, the user is forced to choose a password there and then. it's up to the user :-(

@balaji.bandi has posted the password recovery procedure - it's pretty simple - just one word of warning - I have done this before and I must have been drinking too much coffee that morning, but I ended up pressing the wrong menu button and started a fresh install on ISE. Luckily it was just a PSN. But be warned - READ the menu options carefully and think before you press any keys - this can be fatal.

cheers

View solution in original post

balaji.bandi · ‎07-12-2019

here is the password recovery procedure.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200568-ISE-Password-Recovery-Mechanisms.html#anc6

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

heritierdaya0403 · ‎04-28-2020

Hello BB,
Trust you are very well.
Currently we need to recover CLI password on our SNS-3515-K9 with no cd/dvd drive , following instructions in above link , I 'm stuck as Configuring CIMC and Creating a Bootable USB Drive page links are no more available . Can you advice please what can be done at this stage.

Thanks in advance

Arne Bier · ‎04-28-2020

Hi

You're left with no options. You have to boot the server with an operating system that comes from something other than the SNS-315's disk array. And this is typically via the USB, or vKVM in CIMC. You can't use any old OS because SNS servers are enabled for SafeBoot in the the UEFI (BIOS). Therefore you either need the Cisco ISE installer .iso or the ISE RescueRecovery .iso

Last option is to hack your way into the system - but if the account is disabled then you're wasting your time.

It's not difficult to mount an ISO file via the CIMC ... of course, assuming you know your password to the CIMC :-D - and then, if it's an old version of CIMC you'll engage in a dirty battle with Java to get the vKVM going.

heritierdaya0403 · ‎04-28-2020

Hi @Arne Bier

Thanks for your tips ,then i will try vKVM method and i get back to you asap.

Thanks.

heritierdaya0403 · ‎04-29-2020

Hi @Arne Bier

we have just chosen the vKVM method using CIMC ,so is there any possibility to download the ISE RescueRecovery .iso ? because i m not able to download the ise-2.4.0.357.SPA.x86_64.iso from cisco.com since our smartnet has just expired .

and requesting a new contract to a Cisco Partner can take long in this COVID-19 confinement period .

This thing is , our ISE cannot actually join AD because NTP sync issue , with an impact with 802.1x user authentication and i need to set it NTP in CLI , this is the main reason to recover password.

Thanks in advance.

Thanks in advance

Arne Bier · ‎04-29-2020

Hi @heritierdaya0403

I only mentioned the recovery ISO because that is a tool the TAC would use in dire situations - even if you had the recovery ISO it would only dump you onto the Linux root shell. I suppose only Cisco would know how to reset the ADE-OS user account credentials (these are not Linux accounts - probably buried deep in some Oracle table ...)

The ISE installation .iso is the solution for your needs - I just assumed that since you had a running system you'd also have the installer ISO file stored somewhere.

Maybe some kind Cisco employee can publish the 8GB file for you on a temporary link - I don't know any other ideas.

heritierdaya0403 · ‎04-29-2020

Hi Arne,

Thanks for your feedback.
Unfortunately we don't have the installer ISO stored somewhere :) .
should you share with us that temporary link to download , that will be much appreciated .

Thanks in advance.

Arne Bier · ‎04-30-2020

I’d love to help but I would be violating the Cisco licensing agreement because as you have discovered, Cisco don’t make this stuff freely available.

Please reach out to your Cisco SE/AM and ask them. I don’t work for Cisco.

heritierdaya0403 · ‎05-03-2020

Hello @Arne Bier

Thanks for your advice .

Finally we have got the installer.iso with the help of a Local Cisco Partner .

We have followed instructions as per all links you have shared with us and solved the issue.

Thanks for your time and assistance.

Greg Gibbs · ‎04-28-2020

If your current issue is that the old links for the CIMC and Bootable USB information are broken, you can find the information in these current links to info for ISE 2.4.

Install Cisco ISE using CIMC

Create a Bootable USB Device to Install Cisco ISE

heritierdaya0403 · ‎04-28-2020

Hi Greg,
Thanks for the links , let me go thru those links and then we can decide which method will be suitable for us .

Regards,

engineer467 · ‎06-24-2020

Hello heritierdaya,

Is it done using usb?

Please update.

Thanks.

engineer467 · ‎06-24-2020

Also in the link on how to create bootable USB, below is the Step6-

Step 6

From the USB drive, open the following text files in a text editor:

isolinux/isolinux.cfg
EFI/BOOT/grub.cfg

But when i created bootable usb, i can see syslinux/syslinux.cfg, there is no file called isolinux.cfg.

Someone please help.

Arne Bier · ‎07-17-2019

Hi @johnmike

There is no default admin password because during install, the user is forced to choose a password there and then. it's up to the user :-(

@balaji.bandi has posted the password recovery procedure - it's pretty simple - just one word of warning - I have done this before and I must have been drinking too much coffee that morning, but I ended up pressing the wrong menu button and started a fresh install on ISE. Luckily it was just a PSN. But be warned - READ the menu options carefully and think before you press any keys - this can be fatal.

cheers