How to Reset CLI and Database passwords (admin\user) in ISE

Jatin Katyal · ‎05-31-2013

Scenario 2:

Introduction

ISE uses two database accounts. One is the admin account, and the second is the user account. In case you'd like to reset or change it later in your deployment, you can reset them from the standard ISE CLI with the following commands

Database accounts

application reset-passwd ise internal-database-admin
application reset-passwd ise internal-database-user

Note: If you reset the internal database user password, Cisco ISE prompts you to restart the application. The internal database user password is reset after you restart the Cisco ISE application.

User Interface

ISE uses a different account to allow user to access User Interface (UI). This can also be reset with the help of standard CLI command.

# application reset-passwd application-name administrator-ID

!--application reset-passwd ise admin

application reset-passwd (Command Reference Guide)

Command Line Interface (CLI)

For accessing Command Line Interface (CLI) of ISE, we need a different admin account. If no one is able to log into the Cisco ISE system because the administrator password has been lost, forgotten, or compromised, we can only use the Recovery DVD to reset the ISE CLI admin password.

Resetting the Administrator Password for a Cisco ISE Appliance

Scenario 2:

Problem:

Using ISE 1.2 and setting up a new Radius Server Sequence, I am unable to use IETF Radius attribute 88 (Framed-Pool) as it is not displayed in the Radius IETF Dictionary.

Is there a reason for this? Most other IETF attributes are available, I am curious as to why this one is missing images frame 0 and 2?

Solution:

Refer to link mentioned below:

Doc

Hope this helps.

Mountain Man · ‎02-04-2014

Thanks for the info. Question: does ISE lock up users if the login excceded the max times setting? I can login to the secondary, but primay ssh give me: Permission denied (publickey,password). Any idea?

Thanks,

Jatin Katyal · ‎02-04-2014

CLI admin users, by default, will be locked if failed passwords for more than 5 times due to the password policy.

password-policy

lower-case-required

upper-case-required

digit-required

no-username

disable-cisco-passwords

min-password-length 6

password-lock-enabled

password-lock-retry-count 5

If you want to disable the password-policy on CLI, please run the following commands on the CLI.

conf t

password-policy

no password-expiration-enable

Mountain Man · ‎02-04-2014

Thanks for the prompt answering

Unfortunately, I cannot get in to the primary CLI anymore. I guess I have to use the DVD way to do that?

Jatin Katyal · ‎02-06-2014

Yes, you're right. In order to acess the box via CLI, the only way is to boot it using ISO image to recover the admin credentials.

Permalink · ‎05-31-2017

Dear Jatin

I have the problem that the password recovery by using the ISO image does not work. I am able to set the new password but after I did that I cannot login with the password set.

It is a VM installation (ise-2.2.0.470.SPA.x86_64.iso). Do you have any idea what the reason could be?

Thanks a lot and best regards

Oliver

Mountain Man · ‎06-01-2017

Oliver,

Just in case if you confused the CLI pass with GUI pass. They are different. GUI admin credential does not work on CLI. I remember I resolve the CLI login issue by reboot the primary. Sounds this might not apply to you. Have a good luck!

MM

Permalink · ‎06-01-2017

Dear Mountain Man

Thanks for your feedback. Yes I know. Be carefully with ISE 2.2. It is a bug:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve27812/?referring_site=bugquickviewredir

And there is no workaround. I had to reinstall the ISE-Server. In ISE 2.2 the cli password of the admin user will be locked after 3 failing attemps. And if you cannot reset the admin password you are lost. With the admin GUI user you cannot reactivate the cli admin user. Its a security device so secure password policies.

Best Regards

Oliver