cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

117895
Views
59
Helpful
36
Replies
Kashish_Patel
Explorer

Reset ISE CLI password

Hi Security Experts,

Is  it possible to reset/recover ISE CLI password from ISE WebGUI? I am  able to get into web gui of ISE, but not able to login to its CLI. So  want to reset/recover ISE CLI password from its GUI.

PS: I rate useful posts.

Thanks,

Kashish

2 ACCEPTED SOLUTIONS

Accepted Solutions
Tarik Admani
Advocate

Hi,

You can only recover the cli password after rebooting the ise node from install DVD. There is no other method.

For reference - http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_postins.html#wp1194396

Sent from Cisco Technical Support iPad App

View solution in original post

Yes that is correct, the admin credentials/polcies are stored in the application database which is shared amongst all the nodes in the deployment. However, the cli password and also the database passwords are kept local on each instance.

Deregistering and re-registering will not affect the cli credentials. I have also experienced issues with the PSN nodes changing randomly but I havent had a chance to open a TAC case on this, I just reboot the nodes against the iso and then set them again.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

36 REPLIES 36
Tarik Admani
Advocate

Hi,

You can only recover the cli password after rebooting the ise node from install DVD. There is no other method.

For reference - http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_postins.html#wp1194396

Sent from Cisco Technical Support iPad App

Hi Tarik,

Thanks for replying.

Here is what happened:

We have two admin ISE nodes (VMs) and two policy service nodes.

Everything (GUI and CLI) was fine for all the 4 nodes. I then changed the admin GUI password on primary admin ise node. I did NOT change password on any of the other three nodes. However, I can login to web gui of all the four nodes using the password that I changed. Is it because of the replication/sync amongst ise nodes?

Does the password sync happen only for web gui passwords and not for cli passwords? Will deregistering/registering the node help in getting its password back? I am positive that the password used to work before and problem happened only after I changed the web gui password of the admin node. I am not sure how the passwords are getting sync'd amongst different ise nodes.

Thanks,

Kashish

Yes that is correct, the admin credentials/polcies are stored in the application database which is shared amongst all the nodes in the deployment. However, the cli password and also the database passwords are kept local on each instance.

Deregistering and re-registering will not affect the cli credentials. I have also experienced issues with the PSN nodes changing randomly but I havent had a chance to open a TAC case on this, I just reboot the nodes against the iso and then set them again.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik,

As per the CLI-admin password recovery procedure at

http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_postins.html#wp1179256

I have inserted DVD in the hardware appliance, but I don't see any prompt with these options:

"Welcome to Cisco Identity Services Engine - ISE 3355

To boot from hard disk press

Available boot options: "

I just see login prompt ( and of course, I cannot login because I don't know the password). I am using serial console connection to the appliance. Any idea on this?

Are you using putty?try using hyper terminal and see if the option displays correctly.

Sent from Cisco Technical Support iPad App

I used hyperterm as well. No luck

Hi Tarik,

I had successfully reset CLI admin password last time. Now three days back, this issue again happened and had to reset password again using DVD. Do you know if it is an existing bug? What are the triggers for the bug? we already encountered this issue twice in nearly 3-4 months and want to know what triggers it.

Thanks,

Kashish

Hello Guys,

I have the same problem here, but my admin/monitoring note are Vmware machines.

Whats the procedure of VMware environment?

Tks.

It's the same, except since it's virtualized you dont need a DVD. Use the .iso files that are available on cisco.com and mount that to the VMware CD drive. Reboot the VM and watch the console, the procedure is the same from there.

Tks!

What version of ISE do you have?

I haven't heard of any bugs like this, but I have heard of some customers with environments where there is an automated network scanner that attempts to log into any device with ssh available. ISE will lock out an account that has multiple authentication attempts against it.

Version: 1.1.2.145

I had successfully reset CLI admin password last time. Now three days  back, this issue again happened and had to reset password again using  DVD. Do you know if it is an existing bug? What are the triggers for the  bug? we already encountered this issue twice in nearly 3-4 months and  want to know what triggers it.

I've seen that at a customer too.

blenka
Participant

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube