Suggested Steps for Resetting Cisco ISE Admin User CLI & GUI Password in a Production Environment

-

If you're familiar with Cisco ISE deployments, then no doubt you've encountered a time where an Administrator password has expired and needs to be reset. This can happen for a number of reasons however the most common would be because of the admin password expiry setting that hasn't been disabled in ISE.

When setting up a new Cisco ISE deployment, you will set the admin password. It is important to note that the CLI and GUI admin password can be different.
Although you can reset the admin GUI password via the CLI when it has expired, if the CLI password expires or you forget it, you will be required to boot from the .ISO in order to reset the password.

Booting from the .ISO can be a pain if ISE nodes are in a production environment and you may find that you need a change window to do this. Whatever the case may be, this article focuses on how to reset the admin passwords while ISE is in production.
These steps were taken when I encountered a similar issue with a distributed ISE deployment. If you've encountered similar or done a password reset a similar way, share your experience below.

Steps Summary

  • Request a change window (Optional)
  • Acquire the relevant .ISO file
  • Decide on the order of relevance for nodes in the deployment
  • Reset the Admin CLI password node by node
  • Unmount .ISO file
  • Verify successful password change
  • Change the GUI admin password (Optional)
  • Disable Admin password expiry (Optional)

Request a change window if required


As your ISE nodes may be in a production environment, it might not be as simple as taking ISE nodes offline while resetting the Admin password. Distributed deployment a slightly easier because you'd normally have secondary/multiple nodes to manage tasks while others are offline. On the other hand, if your deployment is a standalone deployment, more planning may be needed before taking the node offline.
Whatever the case may be, it's best to check whether a change window is required before proceeding with the change.

Acquire the relevant .ISO file


Navigate to software.cisco.com and download the relevant .ISO. The .ISO needs to match the same version software of your current deployment.

Decide which nodes will be shutdown first & reset passwords one by one on each node

This is a rather important step within a live environment because each ISE node will be taken offline while the .ISO is mounted and the passwords are changed.

Each deployment will differ so this article won't mandate which of your nodes should be shutdown first, however, when I've performed this task in the past, I would normally start with shutting down PSN nodes. So here is what I would do with a typical distributed deployment:

  • Shut one node down at a time
  • Start with a PSN, ensuring NAD's will use another PSN in the event that one of the configure PSN's is not available. If load balancing is used then this should be taken care of
  • Shutdown the first node and mount the .ISO as per Cisco documentation and dependant on whether it is a physical or virtual deployment.
  • Power on the node, ensuring it will boot into the .ISO
  • Reset the password for the necessary admin accounts as per Cisco documentation:
ISE 2.4 Password Recovery Mechanisms

  • Unmount the .ISO
  • Reboot the node
  • Verify access to the device now using the CLI now that the password has been changed
  • Verify all services are online before following the same steps again on other nodes

Change the GUI password (Optional)


The admin CLI and GUI password can be different. Some administrators are not aware of this and when one password is changed, they often think it will change for the other two but that is not the case. I think the assumption that this is the case stems from the initial install of ISE because you only configure the admin password once for the CLI and that is also used for the GUI.

If you would like to change the GUI password then either log into the ISE GUI and change the ISE password or if that password also needs resetting then access the CLI and enter the following command below or watch the video demonstration:
application reset-passwd ise <username-here>


Disable admin password expiry (Optional)


By default, ISE admin accounts will expire after a specific period (45 days by default). The following screenshot shows you how to disable admin password expiry.
In the ISE GUI navigate to Administration > System > Admin Access > Authentication > Password Policy and uncheck 'Administrator passwords expire # days after creation or last change'.


I hope this post has been useful in helping you plan a password reset within your ISE deployment.
Kelvin Charles - Network and Cyber Security Professional.

Popular Posts

Capturing EAPOL and RADIUS Using Wireshark

-
Image
In this article we are going to take a look at how to capture Extensible Authentication Protocol Over LAN (EAPOL) and Remote Authentication Dial-In User Service (RADIUS) packets using Wireshark. This article can be useful for troubleshooting 802.1x within your environment and can also be used for learning purposes. The following topology has been used to gather the required output for this article. Note: This article will only cover the switch configurations that are required to gather EAPOL and RADIUS configuration. Overview of the Topology The supplicant is configured to perform 802.1x using EAP-TLS as the authentication method The user certificate on the supplicant will be used for authentication The supplicant has Wireshark installed Cisco ISE is used for authentication and authorisation The supplicant is assigned to VLAN 10 upon authentication and all other endpoint ports are assigned to VLAN 99 Sniffer device is running Wireshark in order to capture RADIUS flows via SPAN 802.1x
Read more

Configuring Cisco Smart License Software

-
In this article, I would like to demonstrate how to configure Cisco Smart Licensing on the virtual Cisco Adaptive Security Appliance (ASAv). This post assumes that readers already have access to there own Smart Account and would like to know the process of applying licenses. Step 1: Generate ID Token Sign into your Cisco Software Portal: software.cisco.com and navigate to “Smart Software Licensing” You will now need to create an ID token for your device, this is required for communication between the device and the licensing authority. Follow the steps below to create a new token. Click Inventory >>> General >>> New Token and select your preferred options and enter a description for your token. Once you are happy with your token settings click Create Token . You should now have a token created which can be copied over to the device you wish to license. All commands and output from this point will be related to the ASA so please seek out further advice if you wish
Read more

Cisco :: FXOS Authentication Using TACACS

-
In this article, I will describe how to enable authentication and authorization for Firepower eXtensible Operating System (FXOS) devices. The use case presented in this document illustrates how Cisco Identity Services Engine (ISE) can be utilised with attribute-value pairs (AV-Pairs) to authenticate and authorize users accessing the Firepower Chassis Manager (FCM) or FXOS platforms via TACACS+. At the time of writing this post, I found that limited documentation existed and of that documentation that did exist, the examples given weren’t as straightforward. In an effort to make this process easier for my colleagues and customers to understand I have put together the following instructions based on a previous use case given to me. Extracts of this document have been taken from a wider document I am currently creating. I will update this article with the complete document when it has been finalized. Requirements A ‘Device Administration’ license is required in order to use TACACS+ with
Read more

Configuring Remote Access VPN on Firepower

-
Image
In this article we are going to take a look at how to configure remote access VPN's on Firepower devices. This demonstration is based on the following lab environment: Cisco Virtual Firepower Management Center Cisco Virtual Firepower Threat Defense Cisco ISE 2.6 Windows host with AnyConnect VPN Windows Server 2019 (CA Server) All Firepower devices are running version 6.5 Note: ISE is used for authentication and authorization in the following lab however the configuration elements of ISE are out of scope for this demonstration. Generate a CSR for Remote Access VPN's Those accessing your network remotely need to trust the service you're running. Without the correct trust users could face issues connecting via VPN. With access to the FMC navigate to Objects > Object Management > PKI > Cert Enrollment Assuming you are opting for manual enrollment, select 'Manual' in Enrollment Type and copy the CA Certificate BASE-64 into the field. Now select the 'Certifi
Read more

Kali Linux :: CAM Table Overflow Attack Demonstration

-
Image
As part of my on-going studying for the CCNA Security 210 – 260 certification I have been exploring different types of network attacks, one of which is CAM table overflow attacks. In this article I would like to share what I have learnt and provide a demonstration of the attack carried out in a lab environment. To understand my demonstration, you first need to understand how a CAM table overflow attack works and what happens as a result of the attack.   Switches build Content Addressable Memory (CAM) tables based on mac-addresses and port numbers. When a switch receives a frame it checks the table to see if the source mac-address is already known, if the source mac-address is unknown the switch will add the mac-address to the table along with the port number. The switch then checks the destination layer two frame and if no entry exists the switch broadcasts the frame out of all ports except the port in which the frame was received. Presuming the destination mac-address wants to respond
Read more