05-31-2013 04:23 PM - edited 02-21-2020 09:59 PM
ISE uses two database accounts. One is the admin account, and the second is the user account. In case you'd like to reset or change it later in your deployment, you can reset them from the standard ISE CLI with the following commands
application reset-passwd ise internal-database-admin application reset-passwd ise internal-database-user
Note: If you reset the internal database user password, Cisco ISE prompts you to restart the application. The internal database user password is reset after you restart the Cisco ISE application.
ISE uses a different account to allow user to access User Interface (UI). This can also be reset with the help of standard CLI command.
# application reset-passwd application-name administrator-ID !--application reset-passwd ise admin
application reset-passwd (Command Reference Guide)
For accessing Command Line Interface (CLI) of ISE, we need a different admin account. If no one is able to log into the Cisco ISE system because the administrator password has been lost, forgotten, or compromised, we can only use the Recovery DVD to reset the ISE CLI admin password.
Resetting the Administrator Password for a Cisco ISE Appliance
Problem:
Using ISE 1.2 and setting up a new Radius Server Sequence, I am unable to use IETF Radius attribute 88 (Framed-Pool) as it is not displayed in the Radius IETF Dictionary.
Is there a reason for this? Most other IETF attributes are available, I am curious as to why this one is missing images frame 0 and 2?
Solution:
Refer to link mentioned below:
Hope this helps.
Thanks for the info. Question: does ISE lock up users if the login excceded the max times setting? I can login to the secondary, but primay ssh give me: Permission denied (publickey,password). Any idea?
Thanks,
CLI admin users, by default, will be locked if failed passwords for more than 5 times due to the password policy.
password-policy
lower-case-required
upper-case-required
digit-required
no-username
disable-cisco-passwords
min-password-length 6
password-lock-enabled
password-lock-retry-count 5
If you want to disable the password-policy on CLI, please run the following commands on the CLI.
conf t
password-policy
no password-expiration-enable
Thanks for the prompt answering
Unfortunately, I cannot get in to the primary CLI anymore. I guess I have to use the DVD way to do that?
Yes, you're right. In order to acess the box via CLI, the only way is to boot it using ISO image to recover the admin credentials.
Dear Jatin
I have the problem that the password recovery by using the ISO image does not work. I am able to set the new password but after I did that I cannot login with the password set.
It is a VM installation (ise-2.2.0.470.SPA.x86_64.iso). Do you have any idea what the reason could be?
Thanks a lot and best regards
Oliver
Oliver,
Just in case if you confused the CLI pass with GUI pass. They are different. GUI admin credential does not work on CLI. I remember I resolve the CLI login issue by reboot the primary. Sounds this might not apply to you. Have a good luck!
MM
Dear Mountain Man
Thanks for your feedback. Yes I know. Be carefully with ISE 2.2. It is a bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve27812/?referring_site=bugquickviewredir
And there is no workaround. I had to reinstall the ISE-Server. In ISE 2.2 the cli password of the admin user will be locked after 3 failing attemps. And if you cannot reset the admin password you are lost. With the admin GUI user you cannot reactivate the cli admin user. Its a security device so secure password policies.
Best Regards
Oliver
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: