Showing results for 
Search instead for 
Did you mean: 

How to Reset CLI and Database passwords (admin\user) in ISE





ISE uses two database accounts. One is the admin account, and the  second is the user account. In case you'd like to reset or change it later in your deployment, you can reset them from the standard ISE CLI  with the following commands

Database accounts

application reset-passwd ise internal-database-admin
application reset-passwd ise internal-database-user

Note:  If  you reset the internal database user password,  Cisco ISE prompts you to  restart the application. The internal  database user password is reset  after you restart the Cisco ISE  application.

User Interface

ISE uses a different account to allow user to access User Interface (UI). This can also be reset with the help of standard CLI command.

# application reset-passwd application-name administrator-ID

!--application reset-passwd ise admin

application reset-passwd (Command Reference Guide)

Command Line Interface (CLI) 

For accessing Command Line Interface (CLI) of ISE, we need a different admin account. If no one is able to log into the Cisco ISE system because the administrator password has been lost, forgotten, or compromised, we can only use the Recovery DVD to reset the ISE CLI admin password.

Resetting the Administrator Password for a Cisco ISE Appliance


Scenario 2:


Using ISE 1.2 and setting up a new Radius Server Sequence, I am unable to use IETF Radius attribute 88 (Framed-Pool) as it is not displayed in the Radius IETF Dictionary.

Is there a reason for this? Most other IETF attributes are available, I am curious as to why this one is missing images frame 0 and 2?



Refer to link mentioned below:


Hope this helps.

Mountain Man

Thanks for the info. Question: does ISE lock up users if the login excceded the max times setting?  I can login to the secondary, but primay ssh give me: Permission denied (publickey,password). Any idea?


Jatin Katyal
Cisco Employee
CLI admin users, by default, will be locked if failed passwords for more than 5 times due to the password policy.







  min-password-length 6


  password-lock-retry-count 5

If you want to disable the password-policy on CLI, please run the following commands on the CLI.

conf t


          no password-expiration-enable

Mountain Man

Thanks for the prompt answering

Unfortunately, I cannot get in to the primary CLI anymore.  I guess I have to use the DVD way to do that?

Jatin Katyal
Cisco Employee

Yes, you're right. In order to acess the box via CLI, the only way is to boot it using ISO image to recover the admin credentials.

Not applicable

Dear Jatin

I have the problem that the password recovery by using the ISO image does not work. I am able to set the new password but after I did that I cannot login with the password set.

It is a VM installation (ise- Do you have any idea what the reason could be?

Thanks a lot and best regards


Mountain Man


Just in case if you confused the CLI pass with GUI pass. They are different. GUI admin credential does not work on CLI.   I remember I resolve the CLI login issue by reboot the primary.  Sounds this might not apply to you.  Have a good luck!


Not applicable

Dear Mountain Man

Thanks for your feedback. Yes I know. Be carefully with ISE 2.2. It is a bug:

And there is no workaround. I had to reinstall the ISE-Server. In ISE 2.2 the cli password of the admin user will be locked after 3 failing attemps. And if you cannot reset the admin password you are lost. With the admin GUI user you cannot reactivate the cli admin user. Its a security device so secure password policies.

Best Regards