Solved: Unable to SSH to new CLI users and admin roles ISE 2.7

ShaunGreen · ‎05-08-2020

Hi All,

We have recently upgraded to ISE 2.7. I had created a admin user and was able to SSH to the CLI of the ISE using this user.

We then deleted this user and since then, every account we created locally on the device (VM) it's not been possible to SSH using admin, or user accounts to the CLI.

The another admin account that was setup from the beginning is still functioning and we can connect to CLI using this account. But any new users we set up just fail (please see attached example.)

Two of us have tried several times, so it's not a 'fat finger' issue, we've been very careful entering username and passwords.

Does anyone have any ideas of what to check?

Thanks and kind regards,

Simon

ShaunGreen · ‎05-13-2020

Dear All,

Well an update, all be it slightly strange.

We did end up rebooting the ISE, although we had done that in the past.

We created another local username and this time it worked. If it had been just me working on it, I would have said perhaps I was making a 'typo' somewhere, although I tried several times. But my colleague also tried and had the same outcome.

We will keep monitoring and see what happens in the future. If we see the same issues we will carry out the recommended steps.

1. Try reload of ISE.

2. Enable "admin-infra" and "infrastructure" log component at debug level and tail ADE.log and ise-psc.log to see if any specific error is coming while user tries to login.

show logging application ise-psc.log tail

show logging system ade/ADE.log tail

3. Apply latest patch 1 and test the behavior.

Thanks to all for their input.

View solution in original post

marce1000 · ‎05-08-2020

- Can you try to operate your ssh-client in verbose mode and then check if any additional info is being displayed when the connection to ISE is made ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

poongarg · ‎05-08-2020

If the new user has been created with plain password option with role admin. if not then create new user with plain password and test.

"username abc password plain abc123 role admin". The password will automatically be hashed and shown as password type hash in the running config.

Damien Miller · ‎05-08-2020

Adding to this to ensure we are all on the same page, it's not really clear to me if you are defining new admin users in the GUI, or on the CLI with the command poongarg shared.

If you are defining new GUI admin users, these do not work on the CLI. These are two independent admin user databases which just happen to share the same username/password defined in the setup script, but two independent accounts.

ShaunGreen · ‎05-11-2020

Hi There,

Yep, we did exactly that and several times.

It's the same outcome unfortunately.

This sounds very weird I know, but about two weeks ago, I created another username and password assigned to admin and was able to SSH to the ISE VM. Now, even after trying with 3 different combinations of username and password, each of them has the same result. We are unable to SSH to the ISE using a newly created username.

We are however, able to still SSH using the original Username that was setup when this ISE was built.

Regarding the GUI and SSH being separate, yes, we understand that. But currently we are unable to successfully SSH to the device when we create a username from the command line.

Thanks all.

ShaunGreen · ‎05-11-2020

Hi There,

Sorry for the delay in getting back to you, had a few things that needed clearing up.

I'll investigate in the mean time, but from the verbose option whilst SSH'ing to the ISE VM I see the following in the attached.

But yet the existing username/password that was configured when this device was installed is working fine.

poongarg · ‎05-12-2020

In such case there are couple of options you can try:

1. Try reload of ISE.

2. Enable "admin-infra" and "infrastructure" log component at debug level and tail ADE.log and ise-psc.log to see if any specific error is coming while user tries to login.

show logging application ise-psc.log tail

show logging system ade/ADE.log tail

3. Apply latest patch 1 and test the behavior.

ShaunGreen · ‎05-13-2020

Dear All,

Well an update, all be it slightly strange.

We did end up rebooting the ISE, although we had done that in the past.

We created another local username and this time it worked. If it had been just me working on it, I would have said perhaps I was making a 'typo' somewhere, although I tried several times. But my colleague also tried and had the same outcome.

We will keep monitoring and see what happens in the future. If we see the same issues we will carry out the recommended steps.

1. Try reload of ISE.

2. Enable "admin-infra" and "infrastructure" log component at debug level and tail ADE.log and ise-psc.log to see if any specific error is coming while user tries to login.

show logging application ise-psc.log tail

show logging system ade/ADE.log tail

3. Apply latest patch 1 and test the behavior.

Thanks to all for their input.