cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3983
Views
0
Helpful
5
Replies

Cannot log in to ISE.

marioderosa2008
Level 1
Level 1

Hi all,

my issue is different to the usual admin account lock out.

we have two ise's, primary admin and secondary admin. The admin CLI password works for the secondary ISE but it does not work for the primary ISE.

so, i wanted to shutdown the primary ISE and promote the secondary ISE to primary, however all of our web accounts have expired and you cannot reset user accounts on a secondary admin node using the CLI as it must be promoted primary!

When i try and reset the admin CLI password using the ISO image (as we run VM's) on the primary ISE... the process appeears to work, but when  i try and log in using the new password after a reboot the login still fails!...

i think something has corrupted on the primary node and therefore I wish to promote the secondary to primary but I cannot as we have no access to the web gui.

Please help!

thanks

Mario                  

5 Replies 5

marioderosa2008
Level 1
Level 1

Cisco tac advised that I was trying to use the ISO v1.1.1 to reset the admin password of our 1.2 deployment which won't work due to 1.2 being 64bit and 1.1.x being 32bit

Sent from Cisco Technical Support iPhone App

I have now successfully reset admin. Password with correct ISO.

Mario

Sent from Cisco Technical Support iPhone App

Muhammad Munir
Level 5
Level 5

Hi mario,

FYI

This issue can occurs when the primary and secondary Cisco ISE nodes' database are out of sync. For out of sync issues, which most likely are due to time changes or NTP sync issues, you must correct the system time and perform a manual sync up through the UI.

•For certificate expiry issues, you must install a valid certificate and perform a manual sync up through the UI.

•For a node that has been down for more than six hours, you must restart the node, check for connectivity issues, and perform a manual sync up through the UI.

For more information regarding this issue, please go through this link:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/troubleshooting_guide/ise_tsg.html#wp192802

marioderosa2008
Level 1
Level 1

Hi,

Does that issue affect admin passwords that are local and specific to each ISE??

I was under the impression that admin cli accounts are not synced across the deployment and are specific to each ISE?

Mario

Sent from Cisco Technical Support iPhone App

Hi marioderosa,

you are correct . Admin CLI accounts are not synced across deployments and are specific to each ISE. Normally the issue with CLI admin passwords should not have any adverse impact on GUI admin users and their passwords. Admin CLI users and passwords are stored in linux layer OS whereas ISE admin GUI users and passwords are stored within ISE database.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: