my issue is different to the usual admin account lock out.
we have two ise's, primary admin and secondary admin. The admin CLI password works for the secondary ISE but it does not work for the primary ISE.
so, i wanted to shutdown the primary ISE and promote the secondary ISE to primary, however all of our web accounts have expired and you cannot reset user accounts on a secondary admin node using the CLI as it must be promoted primary!
When i try and reset the admin CLI password using the ISO image (as we run VM's) on the primary ISE... the process appeears to work, but when i try and log in using the new password after a reboot the login still fails!...
i think something has corrupted on the primary node and therefore I wish to promote the secondary to primary but I cannot as we have no access to the web gui.
This issue can occurs when the primary and secondary Cisco ISE nodes' database are out of sync. For out of sync issues, which most likely are due to time changes or NTP sync issues, you must correct the system time and perform a manual sync up through the UI.
•For certificate expiry issues, you must install a valid certificate and perform a manual sync up through the UI.
•For a node that has been down for more than six hours, you must restart the node, check for connectivity issues, and perform a manual sync up through the UI.
For more information regarding this issue, please go through this link:
you are correct . Admin CLI accounts are not synced across deployments and are specific to each ISE. Normally the issue with CLI admin passwords should not have any adverse impact on GUI admin users and their passwords. Admin CLI users and passwords are stored in linux layer OS whereas ISE admin GUI users and passwords are stored within ISE database.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...