Re: You cannot!

ammahend · ‎08-20-2014

How to get into linux shell on Cisco ISE 1.2 ???

-hope this helps-

Ravi Singh · ‎08-20-2014

Please follow the below steps.

Step 1 After the Cisco ISE installation, launch a supported product, such as PuTTY, for establishing a Secure Shell (SSH) connection to a Cisco ISE appliance.

Step 2 In the Host Name (or IP Address) field, enter the hostname (or the IP address in dotted decimal format of the Cisco ISE appliance) and click Open .

Step 3 At the login prompt, enter the CLI-admin username (admin is the default) that you configured during setup and press Enter .

Step 4 At the password prompt, enter the CLI-admin password that you configured during setup (this is user-defined and there is no default) and press Enter .

nspasov · ‎08-21-2014

By default the shell is locked down and you don't have access to it outside of a few "cisco like" commands and some ISE related commands. If you want more than that you will need to install a "root patch" that can be provided by Cisco TAC.

Thank you for rating helpful posts!

Saurav Lodh · ‎08-21-2014

You cannot!

alextomko · ‎03-06-2019

All you need to do is boot from a Linux disc and do the following:

*root the VM's with redhat disc*

https://www.rootusers.com/how-to-reset-root-user-password-in-centos-rhel-7/
&
https://www.rootusers.com/red-hat-certified-system-administrator-rhcsa-ex200-passed/
~~~
Boot off Centos/rhel disc
Press 1 for single user mode
# chroot /mnt/sysimage
# passwd root

! set a password now.

! allow root login with ssh so you can login with ssh after rebooting.
# vi /etc/ssh/sshd_config - remove hash on "#PermitRootLogin yes" or if "PermitRootLogin no" make it "PermitRootLogin yes"

! if Cisco ACS 5.x - you can reboot now.

# exit - exit chrooted env
# touch /.autorelabel

# reboot

! if ISE - set /etc/shadow to read-only.

# chattr +i /etc/shadow

# exit - exit chrooted env
# touch /.autorelabel

# reboot
~~~

Damien Miller · ‎03-09-2019

This is not something that anyone should be doing on an ISE deployment, and it won't enable a user to access root or the linux shell. ISE leverages something called ADE-OS which sits on top of RHEL. As indicated by nspasov, you access the underlying Linux CLI via TAC and the root key/root patch. This is not something Cisco provides for end user use, it is only used by TAC during troubleshooting to fix advanced issues. So even if you edit the root password, you need the root key that expires frequently, and the root patch that will work on your version.

It's also a 5 year old thread, no need to bump this.

alextomko · ‎06-12-2019

It works fine and then you can simply ssh in as root and get into bash and or then create more usernames by un-chattering /etc/shadow with chattr -i /etc/shadow. Then edit your /etc/sudoers and allow your other user-id's to do paswordless sudo commands "newuser ALL=(ALL) NOPASSWD:ALL".

However if you reboot without setting /etc/shadow back to read-only it will reset the root so all that is required is to chattr +i /etc/shadow again if you need to make user-id changes. If Cisco would fix simple things like SSH ciphers and provide a way for SSH public key then something like this would not be required.

You are correct it should not be done in a production environment but for lab purposes there is no harm.

Gioacchino · ‎07-28-2023

The classical way of replacing "!!" in shadow with no characters works too. The advice/recommendation "DO NOT EMULATE AT HOME/AT WORK" still applies.

Venkatesh Attuluri · ‎08-22-2014

No. Not unless allowed admin access and ability to install additional software.