Reset ISE host OS config with a single CLI?

eddiem · ‎05-31-2018

This feature has been around for quite some time, but every time I describe it to ISE sellers and customers, I get surprised looks. Did you know that in ISE 2.1 and newer, you can reset the networking configuration of the ISE node with a single CLI? Before this feature was introduced in ISE 2.1, if you wanted to change the IP, hostname, or DNS domain of your ISE node, you had to use a separate config level CLI for each one of those networking configurations. Each change would result in a restart of ISE services that could take upwards of 10 minutes. You were looking at 30 minutes of restart time to change the network identity of a single ISE node!

That all changed in ISE 2.1 with the introduction of the ‘reset-config’ exec CLI. Note, ‘reset-config’ CLI is not to be confused with the ‘application reset-config ise’ CLI which has been around since day one and has a completely different function. The ‘reset-config’ CLI will prompt the user to re-enter all of the node level OS configuration properties that define the network identity of the ISE node. The ISE node hostname, IP, gateway, DNS, NTP, and time zone can all be reset, which upon completion, results in a single restart of ISE services. Since the CLI will reset the networking configuration, it can only be run from the console port. It is important to point out that the ‘reset-config’ CLI will only reset the local ISE node network configuration. It has no effect on the ISE configuration database. Therefore, ISE policy configuration, local identities, NADs, guest portal configuration, etc. are all left intact after the ‘reset-config’ CLI is run.

Here is a sample of using the ‘reset-config’ CLI:

isedemo/admin# reset-config

% WARNING: This option will allow you to reset all networking settings, hostname,

% domain name, NTP servers and the timezone. Updating the hostname will cause

% any certificate using the old hostname to become invalid. A new self-signed

% certificate using the new hostname will be generated now for use with HTTPS/

% EAP. If CA-signed certs were used on this node, please import the new ones

% with the correct hostname. In addition, if the node is part of an AD domain,

% please delete any AD memberships before proceeding.

%

% All services will be restarted upon completion.

Are you sure you want to continue? (yes/no) [yes] ? yes

Enter hostname[isedemo]: isepan1

Enter IP address[192.168.49.10]: 10.1.100.21

Enter IP netmask[255.255.255.0]:

Enter IP default gateway[192.168.49.1]: 10.1.100.1

Enter default DNS domain[demo.local]: myproduction.com

Enter primary nameserver[192.168.49.1]: 10.1.100.10

Add secondary nameserver? Y/N [N]:

Enter NTP server[time.nist.gov]: 10.1.100.11

Add another NTP server? Y/N [N]:

Enter system timezone{UTC]:

Continue with the changes? Y/N [Y]: Y

Application services will get restarted. Do not use Ctrl-C from this point on...

The primary use case for the ‘reset-config’ CLI is to easily readdress/rename an ISE node without having to reinstall, or reconfigure all of the ISE policy.

Arne Bier · ‎05-31-2018

Great tip and one that I will probably have to use one day! It's a lot less painful than an application reset-config

Having said that, the application reset-config is a neat way to get another 90 days of eval licence if you needed that (without a complete re-install). In some lab environments I had to do that and then restore the config backup. But it works.

Rey- · ‎10-09-2018

I know this is a basic/simple question, but is there a way to reset the ISE server from the GUI? I was given access to an ISE instance in the lab for our lab devices, so I tried looking around some of the Admin menus and I don't see where to reset the ISE instance. Our ISE instance is running within vcenter and I know I can reset or power off/on from here, but this is not a graceful restart of the server. I checked some ISE documentation but couldn't find a section that explains this. Can someone point me to where in the GUI I can perform a graceful reset/reboot of the ISE server? thanks!

Arne Bier · ‎10-09-2018

Hi @Rey- - there is no option in the GUI to reset/reboot. This is one of those cases where the CLI has exclusive features that are not found in the GUI.

You would have to log into the ISE node that you want to shut down via ssh.

Then shut it down with

application stop ise

And then issue command

halt

That will power off the machine/VM.

Rey- · ‎10-09-2018

thanks @Arnie for the info. That helps!

jpl861 · ‎08-19-2020

Hi there. Do I need to do the same process if my goal is to just change the IP address? Or changing it directly under the interface configuration is enough? Thanks!

albertofdez · ‎04-28-2021

Hi,

I use Cisco ISE in VMware environment, I have created a clone of a Cisco ISE 2.3.0 (with all roles) because I want to upgrade to version 2.7.0.

I had thought to do a reset-config in the clone after booting to change the IP and to be able to have the 2 ISEs in the same network while performing the update, is it possible? Are all settings kept?

Thanks.

drichards21 · ‎08-17-2023

I just wanted to add if your in a PAN you must deregister and set each server as standalone make the changes put the PAN back together afterward, after all the services start up again.

I wish there was an easier way as I have 4 servers, 2 arr moving sites and I have to remove each one to change the IP, Subnet Mask, or Gateway.

Reset ISE host OS config with a single CLI?

AnyConnect Certificate Based Authentication.

Getting past intermittent/unexplained 802.1x problems on Windows 7

Insights About Multiple Vulnerabilities in Cisco Discovery Protocol Implementations (CDPwn)