Cisco ISE - root mode

JLaime001 · ‎12-09-2015

Greetings all, I wonder if q someone could give me a hand with this.
I'm having problems with synchronization of the time of my microsoft NTP and ISE appliance, making and reviewed the internet and tells me that I have to make certain settings on the ISE as root, but not how to enter that mode.
Does anyone know how to enter the appliance as root ISE?
Thank you

Marvin Rhoads · ‎12-09-2015

I'm surprised that document got through TAC review for publication.

The ISE root shell is only accessible via the TAC-use-only root patch (ISE 1.4 and below) or the new "tech support-tunnel" (ISE 2.0).

End users (i.e .customer admins) do not have have access to the ISE root (Linux OS shell).

ajc · ‎12-11-2015

Thanks for sharing this file. Now I can fix this issue on my side. Temporarily what I did was to configure my 6500 SW as NTP Server for the ISE's. This 6500 SW was getting the clock with no issues from the NTP Windows Server and the ISE's as well. Let me open a case now so I can get the procedure from TAC to apply this fix. I would post the procedure here later.

In fact, I made on October 31st a major upgrade in our ISE deployment (10+ devices - distributed environment) from 1.2.1.198 patch 5 to 1.4 patch 3. I could not sync the ISE to the Microsoft NTP Servers and based on the Cisco TAC I was facing the following:

The problem that you have with the ISE server and the NTP is a know issue that ISE has with the windows servers.

The problems is that ISE server has strong problem in to synchronize with an NTP windows server.

We found documentation that says that ISE server has problems with the NTP server for windows, as recommendation we point the ISE server to a local switch that was configured as ntp server, the Ise sever are now synchronized with the switch.

There are different recommendations to resolve this problem:

Use a different server instead of windows ntp to do the time synchronization.
Use a Cisco device like a switch or router as an NTP server to synchronize the ISE server.
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_admin.html

We in our webex session put as a test the second recommendation, you synchronized the ISE server with the switch and the ISE servers started synchronize correctly with the switch as an NTP server.

In this scenario the switch is synchronized with the NTP server and the ISE is synchronized with the switch, as a result the ISE server did not present any problem in the NTP synchronization with the switch.

these are the links about the problems:

http://www.cisco.com/c/en/us/support/docs/ip/network-time-protocol-ntp/116161-trouble-ntp-00.html

https://supportforums.cisco.com/discussion/11619556/synchronizing-cisco-ise-and-ntp-server

alextomko · ‎07-12-2019

*root the VM's with redhat disc*

https://www.rootusers.com/how-to-reset-root-user-password-in-centos-rhel-7/
&
https://www.rootusers.com/red-hat-certified-system-administrator-rhcsa-ex200-passed/
~~~
Boot off Centos/rhel disc
Press 1 for single user mode
# chroot /mnt/sysimage
# passwd root
! set a password now.
! allow root login with ssh so you can login with ssh after rebooting.
# vi /etc/ssh/sshd_config - remove hash on "#PermitRootLogin yes" or if "PermitRootLogin no" make it "PermitRootLogin yes"
! if Cisco ACS 5.x - you can reboot now.
# exit - exit chrooted env
# touch /.autorelabel
# reboot
! if ISE - set /etc/shadow to read-only.
# chattr +i /etc/shadow
# exit - exit chrooted env
# touch /.autorelabel
# reboot
~~~

LetsTryThis · ‎04-28-2020

Even so your thing works but it screws up a bunch. For example it no longer executes the show run or wr t in the ise admin CLI.

alextomko · ‎04-28-2020

Yes, this is true so you can just go into your linux root on ssh when you need to use the Cisco ISE cli and do a

"chattr -i /etc/shadow" and when you are done and make sure to do this before rebooting again do a: "chattr +i /etc/shadow".

I rarely ever need to use the Cisco's ISE cli and that is the only harm I see it cause is that you cannot use the show run/config changes in the Cisco ISE cli, so you have to decide what is most important to you and for me having linux root is more critical since I rarely ever make changes in the Cisco ISE cli and if I need to it is a simple config to allow changes to be made with the chattr in root.

If you do run the "chattr -i /etc/shadow" to make changes in the Cisco ISE cli, before you reboot you need to make sure you "chattr +i /etc/shadow" or your root will dissapear after rebooting.

Regards,

Alex

LetsTryThis · ‎04-28-2020

What does this shadow file do ? I know it stores the encrypted passwords. Wouldn’t there be a way to create a new user which would have root access and would not require the shadow file to be read only. There seems to be other commands which a change of the shadow file will fail other then show run and wr t. For example show user fails as well

alextomko · ‎04-28-2020

You can create a new user just as you would in any other linux distribution, not going to go through that here. If your not well versed in linux then I would not say doing this to maintain root might not be beneficial for you. I have created another user with appropriate sudo permissions which can be done in /etc/sudoers but the same thing happens if you reboot without /etc/shadow being chattr + then you go back to non root - regardless of having other users than the "root" user.

I have found that any command can be completed in the Cisco ISE CLI once you have done chattr -i /etc/shadow but you'll lose your root if you keep it that way so its up to you if you want to maintain root, and to do that before any reboot I have had to do "chattr +i /etc/shadow".

Regards,

Alex

LetsTryThis · ‎04-28-2020

Thanks I wasn’t sure if the Cisco process would get rid of any new user as well and remove its root access.

so basically make the change as per your instruction and do what I need to do, then go and undo the read only in shadow file and stuff should work as normal for cli admin. Will i lose root access without reboot or only after reboot ? If so I just need to make sure shadow is read only when I reboot.

thanks for insight

Marvin Rhoads · ‎04-28-2020

By hacking the root shell on ISE you are putting the appliance into an unsupported configuration. This is very strongly discouraged and may leave you with a non-working configuration.

LetsTryThis · ‎04-28-2020

Thanks for the advice, I am sure the earns you an extra sticker from Cisco.

Marvin Rhoads · ‎04-28-2020

I've seen more than one appliance get bricked by well-meaning sys admins trying to subvert the built-in guard rails that Cisco has. When you see under the covers at all of the various processes, databases and interdependencies that allow ISE to do what it does, you will think long and hard before circumventing the system's built-in restrictions.

If you legitimately need something done as root, TAC can assist. Open a case and they will install a root patch and perform the necessary modifications in a live WebEx session with you.

andy!doesnt!like!uucp · ‎01-06-2021

@LetsTryThis

everyone here is encouraged to avoid rude & unpolite statements toward members. but actually this is what your parents should teach u in 1st approach.

DuaneSwiftII3815 · ‎09-10-2021

For what it is worth, I want to agree with what Marvin is saying. While I have never gone into the shell within ISE, I have in Prime to extend the number of lines in a report before it truncates. In doing so I accidentally added a space into the file and bricked the server. Found out the reason only after reimaging and rebuilding the application. I would assume the same would hold true to ISE, 1 single incorrect character in a the right file and Poof!!! there goes your application.