×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Reset ISE CLI password

Answered Question
Jul 29th, 2012
User Badges:

Hi Security Experts,


Is  it possible to reset/recover ISE CLI password from ISE WebGUI? I am  able to get into web gui of ISE, but not able to login to its CLI. So  want to reset/recover ISE CLI password from its GUI.


PS: I rate useful posts.


Thanks,

Kashish

Correct Answer by Tarik Admani about 5 years 2 weeks ago

Yes that is correct, the admin credentials/polcies are stored in the application database which is shared amongst all the nodes in the deployment. However, the cli password and also the database passwords are kept local on each instance.


Deregistering and re-registering will not affect the cli credentials. I have also experienced issues with the PSN nodes changing randomly but I havent had a chance to open a TAC case on this, I just reboot the nodes against the iso and then set them again.


Thanks,


Tarik Admani
*Please rate helpful posts*

Correct Answer by Tarik Admani about 5 years 2 weeks ago

Hi,


You can only recover the cli password after rebooting the ise node from install DVD. There is no other method.


For reference - http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/is...


Sent from Cisco Technical Support iPad App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (7 ratings)
Loading.
Kashish_Patel Sun, 07/29/2012 - 22:49
User Badges:

Hi Tarik,


Thanks for replying.


Here is what happened:

We have two admin ISE nodes (VMs) and two policy service nodes.

Everything (GUI and CLI) was fine for all the 4 nodes. I then changed the admin GUI password on primary admin ise node. I did NOT change password on any of the other three nodes. However, I can login to web gui of all the four nodes using the password that I changed. Is it because of the replication/sync amongst ise nodes?


Does the password sync happen only for web gui passwords and not for cli passwords? Will deregistering/registering the node help in getting its password back? I am positive that the password used to work before and problem happened only after I changed the web gui password of the admin node. I am not sure how the passwords are getting sync'd amongst different ise nodes.


Thanks,

Kashish

Correct Answer
Tarik Admani Sun, 07/29/2012 - 23:15
User Badges:
  • Green, 3000 points or more

Yes that is correct, the admin credentials/polcies are stored in the application database which is shared amongst all the nodes in the deployment. However, the cli password and also the database passwords are kept local on each instance.


Deregistering and re-registering will not affect the cli credentials. I have also experienced issues with the PSN nodes changing randomly but I havent had a chance to open a TAC case on this, I just reboot the nodes against the iso and then set them again.


Thanks,


Tarik Admani
*Please rate helpful posts*

Kashish_Patel Tue, 07/31/2012 - 20:03
User Badges:

Tarik,


As per the CLI-admin password recovery procedure at

http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_postins.html#wp1179256


I have inserted DVD in the hardware appliance, but I don't see any prompt with these options:

"Welcome to Cisco Identity Services Engine - ISE 3355


To boot from hard disk press


Available boot options: "


I just see login prompt ( and of course, I cannot login because I don't know the password). I am using serial console connection to the appliance. Any idea on this?

Tarik Admani Tue, 07/31/2012 - 20:15
User Badges:
  • Green, 3000 points or more

Are you using putty?try using hyper terminal and see if the option displays correctly.


Sent from Cisco Technical Support iPad App

Kashish_Patel Mon, 10/22/2012 - 02:15
User Badges:

Hi Tarik,


I had successfully reset CLI admin password last time. Now three days back, this issue again happened and had to reset password again using DVD. Do you know if it is an existing bug? What are the triggers for the bug? we already encountered this issue twice in nearly 3-4 months and want to know what triggers it.


Thanks,

Kashish

Rafael Mendes Thu, 08/08/2013 - 13:46
User Badges:

Hello Guys,


I have the same problem here, but my admin/monitoring note are Vmware machines.

Whats the procedure of VMware environment?


Tks.

Sam Hertica Thu, 08/08/2013 - 13:56
User Badges:
  • Cisco Employee,

It's the same, except since it's virtualized you dont need a DVD. Use the .iso files that are available on cisco.com and mount that to the VMware CD drive. Reboot the VM and watch the console, the procedure is the same from there.

Sam Hertica Thu, 08/08/2013 - 14:06
User Badges:
  • Cisco Employee,

What version of ISE do you have?


I haven't heard of any bugs like this, but I have heard of some customers with environments where there is an automated network scanner that attempts to log into any device with ssh available. ISE will lock out an account that has multiple authentication attempts against it.

Peter Koltl Mon, 10/21/2013 - 13:40
User Badges:
  • Silver, 250 points or more
  • Community Spotlight Award,

    Member's Choice, March 2016

I had successfully reset CLI admin password last time. Now three days  back, this issue again happened and had to reset password again using  DVD. Do you know if it is an existing bug? What are the triggers for the  bug? we already encountered this issue twice in nearly 3-4 months and  want to know what triggers it.


I've seen that at a customer too.

Maksym Kovalenko Sat, 12/03/2016 - 09:51
User Badges:

I think this problem can be solved just changing admin password policy settings via GUI and truying again.

Joana Manzano Fri, 10/18/2013 - 08:00
User Badges:

Hi,


I have the same issue. I cannot login to the CLI and I would like to reset the admin password.

We are using is a Cisco ISE appliance, do we need to use a DVD to reset the password or it is a different process? I have checked the original box and I have only found the Licence and Warranty CD but there is no DVD.


Do you know what I need to do next?


Thanks in advance!


Joana.

Joana Manzano Fri, 10/18/2013 - 08:26
User Badges:

Ok. Where I can get this DVD? It is not in the same box than the Cisco ISE appliance...


Thanks!


Joana.

If you have too many attempts from the CLI, it will lock out the CLI password and the only way to recover this DVD.  This is especially when you have security scanning system scanning the ISE thus locking out the "admin" CLI account. Stupid Cisco.


The work around is:


nkiseu1/admin(config)# password-policy

nkiseu1/admin(config-password-policy)# no password-lock-enabled 

nkiseu1/admin(config-password-policy)# end

nkiseu1/admin#


That will ensure the "admin" account will not lock out after excessive attempts.

Joana Manzano Mon, 10/21/2013 - 02:48
User Badges:

Hi,


I will do it after using the DVD to recover the admin password for the CLI. I know, it is quite annoying...


Very useful, thanks!


Joana.

Joana Manzano Mon, 10/21/2013 - 02:49
User Badges:

Hi,

We have two ISE boxes (ISE-3395-K9); one will be configured as Admin Primary Node and the second one as Admin Secondary Node. These boxes have the Basic Licence. Therefore, they will not support Profiling/NAC, ISEs will be only used for RADIUS Authentication to replace our Cisco ACS Servers.

There are different ISOs in the Cisco website (“Download Software”) so I am confused about which is the right ISO for my scenario. The two Cisco ISEs (ISE-3395-K9) will be configured as PAN Nodes, because Inline Posture Node (IPN) is not supported due to the Basic Licences that we have, so I guess that the ISO that I need to use is: “Cisco ISE Software Version 1.2.0 full installation(no IPN functionality).This ISO file can be used for installing ISE on ISE-33x5, NAC-33x5 Appliances, SNS-34x5 Servers and CSACS-1121 as well as a VM installation on VMWare ESX/ESXi 4.x/5.x

Is that right?

Thanks in advance!

Tarik Admani Fri, 10/18/2013 - 20:14
User Badges:
  • Green, 3000 points or more

Keep in mind that this is a security appliance so having a password locking mechanism is a best practice which prevents brute force attacks. As far as scanning devices they should be tuned and configured or use a different user account so this doesnt happen.


Sent from Cisco Technical Support Android App

Tarik Admani wrote:

Keep in mind that this is a security appliance so having a password locking mechanism is a best practice which prevents brute force attacks.


You sound like someone who work for Cisco.


Password locking is NOT the best practive.  The best practice is having IPS in-line in front of the ISE to detect this and block the attacker for the brute force password attack, not enable passwrod locking mechanism by default.  This is stupid by design.


The other things about password locking of the UI account.  That feature can NOT be turned off either.  How stupid can that be?  Cisco has recognized it and according to Cisco (I have not been able to confirm it), you can disable this feature in version 1.2

tisnow Mon, 08/11/2014 - 21:45
User Badges:
  • Cisco Employee,

Yes, it can be disabled.

ise12/admin(config-password-policy)# no password-lock-enabled ?
  <cr>  Carriage return

Have you deployed an IPS in front of ISE to looking for HTTP Posts specifically for username/password?  What if you had 5 different people logging into ISE at the same time and each mistyped the password. Would your signature fire?  What if it was just 1 person with 5 incorrect logins?

What if it's encrypted?

Are you going to look for the ISE reply message of " Invalid username or password" 5 times then fire the rule?

 

andrew.chappelle Fri, 11/08/2013 - 12:22
User Badges:

Hello,

I am having the same issue; ISE 1.1.12, all 4 nodes are CLI-locked.

Thank you for the info to clear it, but I have this question:  Rather than disabling password-lockout, can I create a second CLI-capable account with a unique username?  Or will this "scanning" disable anything?

thank you,

Andrew

Sam Hertica Sat, 11/09/2013 - 07:27
User Badges:
  • Cisco Employee,

You can create any amount of CLI accounts through the CLI. From global config


username password plain role admin


The 'scanning' that was previously mentioned on this thread could be the cause of accounts being locked out if the process involves attempting to brute force access into the box. It will only lock out the account that is being attempted, so if you have a second user that will be unaffected (unless the scanner rotates common usernames and attempts your second user).

andrew.chappelle Tue, 11/12/2013 - 07:33
User Badges:

Thanks Sam,

That's what I figured; if I created a random/unique username then I would have a reliable backdoor.

The customer doesn't want to disable the lockout or modify their network security scanning.

thanks,

Andrew

sudarshan.raguraman Sat, 03/22/2014 - 00:23
User Badges:

Hi Tarik,

We have the same problem. We're unable to login to both CLI and GUI.

In our setup, ISE is run in a single VM.

We followed the same procedure(http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/is...) to recover the password. When option 3 ([3] Reset Administrator Password (Keyboard/Monitor)) was selected after booting from DVD, the below error is thrown. Attached screen shot for your reference.

"Failed to find ADE-OS startup configuration, Unable to proceed with password recovery"

Please help.

Eduardo Brito d... Thu, 04/17/2014 - 15:59
User Badges:

Hello, 


I am also having the same error, can you tell me how you solved?

 

 

 

!!!!!!!! FAILED TO FIND ADE-OS STARTUP CONFIGURATION !!!!!!!!
!!!!!!!! UNABLE TO PROCEED WITH PASSWORD RECOVERY !!!!!!!!!!!

                           SYSTEM WILL RESTART
                       Press any key.....

Dennie Verhoeven Fri, 07/11/2014 - 00:00
User Badges:

Hello,

 

I'm was trying to resert the CLI-password due booting from the ISO-file. When i choose option [3] Recover administrator password (Keyboard/Monitor) i get the same error:
 

!!!!!!!! FAILED TO FIND ADE-OS STARTUP CONFIGURATION !!!!!!!!
!!!!!!!! UNABLE TO PROCEED WITH PASSWORD RECOVERY !!!!!!!!!!!

                           SYSTEM WILL RESTART
                           Press any key.....

When i try to recover the CLI-password through option [4] Recover administrator password (Console) Cisco ISE is loading recovery image and after that it says it's ready. At this point nothing happens...

Does someone have encounterd one of these problems and solved them?

Dennie Verhoeven Mon, 08/11/2014 - 23:27
User Badges:

I did manage to resolve this error.

My SCSI controller of the VMWare server was set to Paravirtual.
So I changed it to LSI Logic Parallel and was able to reset the CLI-password of Cisco ISE.

Oliver Borer Wed, 05/31/2017 - 14:14
User Badges:

Dear Dennie

I have the same issue but if I change the vm setting to LSI Logigc Parallel the ISE does not boot anymore.

Did you do anything else?

Thanks and best regards

Oliver

lim.weiyat Thu, 07/24/2014 - 00:20
User Badges:

Hi,

 

I tried to use the DVD to reset the CLI password but after reboot I still unable to use the new password to access the ISE. Any advise?

 

 

Actions

This Discussion

Related Content