yes, you need a DVD to reset the ISE CLI admin username and password.

http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_postins.html#wp1189908

I've also created a doc to reset different credentials within ISE.

https://supportforums.cisco.com/docs/DOC-33793

~BR
Jatin Katyal

**Do rate helpful posts**

Ok. Where I can get this DVD? It is not in the same box than the Cisco ISE appliance...

Thanks!

Joana.

Please ignore my last post. That was for acs 5.x

In order to download ISE 1.x ISO DVD, you need to download the s/w from below listed link.

http://software.cisco.com/download/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.2&relind=AVAILABLE&rellifecycle=&reltype=latest

~BR
Jatin Katyal

**Do rate helpful posts**

If you have too many attempts from the CLI, it will lock out the CLI password and the only way to recover this DVD.  This is especially when you have security scanning system scanning the ISE thus locking out the "admin" CLI account. Stupid Cisco.

The work around is:

nkiseu1/admin(config)# password-policy

nkiseu1/admin(config-password-policy)# no password-lock-enabled 

nkiseu1/admin(config-password-policy)# end

nkiseu1/admin#

That will ensure the "admin" account will not lock out after excessive attempts.

Hi,

I will do it after using the DVD to recover the admin password for the CLI. I know, it is quite annoying...

Very useful, thanks!

Joana.

Hi David,

do you know the default value for the "password-lock-retry-count" option in the password-policy ?

I was recently asked to change the cli password for one of my cli user accounts after logging in.

Therfore I changed the pwd, but couldn't logg in thereafter ??

Maybe a forbidden character used in the new pwd ? (is there a list of such chars ?)

We're actually in ISE 2.7 Patch 3 , on HV VM.

Best Regards

Klaus

Hi,

We have two ISE boxes (ISE-3395-K9); one will be configured as Admin Primary Node and the second one as Admin Secondary Node. These boxes have the Basic Licence. Therefore, they will not support Profiling/NAC, ISEs will be only used for RADIUS Authentication to replace our Cisco ACS Servers.

There are different ISOs in the Cisco website (“Download Software”) so I am confused about which is the right ISO for my scenario. The two Cisco ISEs (ISE-3395-K9) will be configured as PAN Nodes, because Inline Posture Node (IPN) is not supported due to the Basic Licences that we have, so I guess that the ISO that I need to use is: “Cisco ISE Software Version 1.2.0 full installation(no IPN functionality).This ISO file can be used for installing ISE on ISE-33x5, NAC-33x5 Appliances, SNS-34x5 Servers and CSACS-1121 as well as a VM installation on VMWare ESX/ESXi 4.x/5.x”

Is that right?

Thanks in advance!

Tarik Admani wrote:
Keep in mind that this is a security appliance so having a password locking mechanism is a best practice which prevents brute force attacks. 

You sound like someone who work for Cisco.

Password locking is NOT the best practive.  The best practice is having IPS in-line in front of the ISE to detect this and block the attacker for the brute force password attack, not enable passwrod locking mechanism by default.  This is stupid by design.

The other things about password locking of the UI account.  That feature can NOT be turned off either.  How stupid can that be?  Cisco has recognized it and according to Cisco (I have not been able to confirm it), you can disable this feature in version 1.2

Yes, it can be disabled.

ise12/admin(config-password-policy)# no password-lock-enabled ?
  <cr>  Carriage return

Have you deployed an IPS in front of ISE to looking for HTTP Posts specifically for username/password?  What if you had 5 different people logging into ISE at the same time and each mistyped the password. Would your signature fire?  What if it was just 1 person with 5 incorrect logins?

What if it's encrypted?

Are you going to look for the ISE reply message of " Invalid username or password" 5 times then fire the rule?

You can create any amount of CLI accounts through the CLI. From global config

username password plain role admin

The 'scanning' that was previously mentioned on this thread could be the cause of accounts being locked out if the process involves attempting to brute force access into the box. It will only lock out the account that is being attempted, so if you have a second user that will be unaffected (unless the scanner rotates common usernames and attempts your second user).

Thanks Sam,

That's what I figured; if I created a random/unique username then I would have a reliable backdoor.

The customer doesn't want to disable the lockout or modify their network security scanning.

thanks,

Andrew