A great little “feature” of Cisco’s
Identity Services Engine
is that out of the box, the administrator account expires after 45 days if the password is not changed during that time. The
says that if you have trouble logging in you should click the “Problem logging in?” link and use the default administrative user/pass. This is of course ridiculous and does not work.
Below are the steps for properly resetting an admin password and for changing the security policy so the lockout doesn’t happen again.
Unlock the Admin
The unlock process is really a password recovery and works a lot like password recovery on an IOS device. You need console access to the appliance and the ISE software DVD/ISO. A reboot is required.
ISE systems can be installed on dedicated server hardware or as virtual appliances under VMware vSphere. The box in my lab was a virtual appliance so these steps are going to reflect console access and rebooting of a VM.
#1 – Reboot from ISE DVD/ISO
To get to the recovery console, the appliance needs to be booted from the ISE installation media. I had the ISO image handy so I used that. Now under vSphere, when the VM reboots, any media that was attached prior to the reboot is disconnected. The trick is to have the console window for the VM open in vSphere Client and hit the <F2> key when you see the VMware BIOS screen. With the machine sitting in the BIOS, it gives you time to reattach the ISE ISO to the DVD drive before the OS starts to load up.
Also while in the BIOS, adjust the boot device order so it hits the CD-ROM drive before the hard drive.
If you’re doing a recovery on a physical appliance, you’ll probably still want to check your boot device order and also set it to boot from CD/DVD drive first.
Save your BIOS changes and boot the machine.
#2 – Reset Admin CLI Password
When the machine boots from the ISE DVD it will display a number of boot options.
If the appliance is a VM or is a physical appliance with a keyboard/mouse attached, choose #3. If the appliance is accessed via a serial console, choose #4.
The recovery menu now appears and asks which admin account to recover.
Choose the account and enter a new password. This password will be used to log in on the appliance’s console. It does not work on the web UI.
Reboot the appliance now, making sure to eject/disconnect the DVD/ISO image so that it boots normally.
#3 – Reset the ISE GUI Admin Password
With the appliance booted normally, log in on the console using the password that was set in step #2. Remember: the console admin account is different than the web UI admin account. They have the same username but can have different passwords. Use the command “application reset-passwd ise admin” to set a new web UI admin password.
The screenshot above shows other options that can be used with the “application” command.
The web UI should now be accessible using the password that was just set.
Change the Password Lockout Policy
The default password policy says that admin accounts will be locked out if their passwords are not changed once every 45 days.
This can be adjusted in Administration, System, Admin Access. Expand the Settings folder and highlight Password Policy.
Did I Need to Reset the CLI Admin or Am I Just Forgetful?
I confess, I’m not 100% sure that I needed to reset the CLI admin password. None of the passwords in my password safe were working on the CLI so it was either expired or I forgot to store the CLI password in the safe. If your web UI password doesn’t work, try starting from step #3 to see if you can avoid rebooting the appliance. Best case it works, worst case you start from step #1 and reset all the passwords.
Can anyone comment on whether the password policy configured in the web UI also applies to the console admin user?