02-15-2014 09:14 AM - edited 03-10-2019 09:24 PM
Hi all,
my issue is different to the usual admin account lock out.
we have two ise's, primary admin and secondary admin. The admin CLI password works for the secondary ISE but it does not work for the primary ISE.
so, i wanted to shutdown the primary ISE and promote the secondary ISE to primary, however all of our web accounts have expired and you cannot reset user accounts on a secondary admin node using the CLI as it must be promoted primary!
When i try and reset the admin CLI password using the ISO image (as we run VM's) on the primary ISE... the process appeears to work, but when i try and log in using the new password after a reboot the login still fails!...
i think something has corrupted on the primary node and therefore I wish to promote the secondary to primary but I cannot as we have no access to the web gui.
Please help!
thanks
Mario
02-16-2014 09:12 AM
Cisco tac advised that I was trying to use the ISO v1.1.1 to reset the admin password of our 1.2 deployment which won't work due to 1.2 being 64bit and 1.1.x being 32bit
Sent from Cisco Technical Support iPhone App
03-04-2014 03:10 PM
I have now successfully reset admin. Password with correct ISO.
Mario
Sent from Cisco Technical Support iPhone App
02-19-2014 07:01 AM
Hi mario,
FYI
This issue can occurs when the primary and secondary Cisco ISE nodes' database are out of sync. For out of sync issues, which most likely are due to time changes or NTP sync issues, you must correct the system time and perform a manual sync up through the UI.
•For certificate expiry issues, you must install a valid certificate and perform a manual sync up through the UI.
•For a node that has been down for more than six hours, you must restart the node, check for connectivity issues, and perform a manual sync up through the UI.
For more information regarding this issue, please go through this link:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#wp192802
02-19-2014 10:20 AM
Hi,
Does that issue affect admin passwords that are local and specific to each ISE??
I was under the impression that admin cli accounts are not synced across the deployment and are specific to each ISE?
Mario
Sent from Cisco Technical Support iPhone App
03-04-2014 11:25 PM
Hi marioderosa,
you are correct . Admin CLI accounts are not synced across deployments and are specific to each ISE. Normally the issue with CLI admin passwords should not have any adverse impact on GUI admin users and their passwords. Admin CLI users and passwords are stored in linux layer OS whereas ISE admin GUI users and passwords are stored within ISE database.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: