If you're familiar with Cisco ISE deployments, then no doubt you've encountered a time where an Administrator password has expired and needs to be reset. This can happen for a number of reasons however the most common would be because of the admin password expiry setting that hasn't been disabled in ISE.
To change the GUI Admin password, the command is application reset-passwd ise admin newpassword However, in your case, you must boot from the ISE DVD (or iso, if virtual) and choose option 3 or 4 depending on your situation. Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. ISE-Server# application reset-passwd ise admin. Notes: The ISE GUI admin password expires after 45 days by default. Log into the CLI and run the following command to reset it: application reset-passwd ise admin. Password reset is only possible from STANDALONE or PRIMARY nodes. Conditions: Issuing 'application reset-passwd ise ' from the primary admin node CLI View Bug Details in Bug Search Tool. Recovering/resetting password on Cisco ISE appliance. Recovering/resetting password on Cisco ISE appliance.
When setting up a new Cisco ISE deployment, you will set the admin password. It is important to note that the CLI and GUI admin password can be different.
Although you can reset the admin GUI password via the CLI when it has expired, if the CLI password expires or you forget it, you will be required to boot from the .ISO in order to reset the password.
Booting from the .ISO can be a pain if ISE nodes are in a production environment and you may find that you need a change window to do this. Whatever the case may be, this article focuses on how to reset the admin passwords while ISE is in production.
These steps were taken when I encountered a similar issue with a distributed ISE deployment. If you've encountered similar or done a password reset a similar way, share your experience below.
Steps Summary
- Request a change window (Optional)
- Acquire the relevant .ISO file
- Decide on the order of relevance for nodes in the deployment
- Reset the Admin CLI password node by node
- Unmount .ISO file
- Verify successful password change
- Change the GUI admin password (Optional)
- Disable Admin password expiry (Optional)
Request a change window if required
As your ISE nodes may be in a production environment, it might not be as simple as taking ISE nodes offline while resetting the Admin password. Distributed deployment a slightly easier because you'd normally have secondary/multiple nodes to manage tasks while others are offline. On the other hand, if your deployment is a standalone deployment, more planning may be needed before taking the node offline.
Fable 3 patch download. Whatever the case may be, it's best to check whether a change window is required before proceeding with the change.
Acquire the relevant .ISO file
Navigate to software.cisco.com and download the relevant .ISO. The .ISO needs to match the same version software of your current deployment.
Decide which nodes will be shutdown first & reset passwords one by one on each node
This is a rather important step within a live environment because each ISE node will be taken offline while the .ISO is mounted and the passwords are changed.
Each deployment will differ so this article won't mandate which of your nodes should be shutdown first however, when I've performed this task in the past, I would normally start with shutting down PSN nodes. So here is what I would do with a typical distributed deployment:
- Shut one node down at a time
- Start with a PSN, ensuring NAD's will use another PSN in the event that one of the configure PSN's is not available. If load balancing is used then this should be taken care of
- Shutdown the first node and mount the .ISO as per Cisco documentation and dependant on whether it is a physical or virtual deployment.
- Power on the node, ensuring it will boot into the .ISO
- Reset the password for the necessary admin accounts as per Cisco documentation:
- Unmount the the .ISO
- Reboot the node
- Verify access to the device now using the CLI now that the password has been changed
- Verify all services are online before following the same steps again on other nodes
Change the GUI password (Optional)
The admin CLI and GUI password can be different. Some administrators are not aware of this and when one password is changed, they often think it will change for the other too but that is not the case. I think the assumption that this is the case stems from the initial install of ISE because you only configure the admin password once for the CLI and that is also used for the GUI.
If you would like to change the GUI password then either log into the ISE GUI and change the ISE password or if that password also needs resetting then access the CLI and enter the following command below or watch the video demonstration:
Disable admin password expiry (Optional)
By default, ISE admin accounts will expire after a specific period (45 days by default). The following screenshot shows you how to disable admin password expiry.
In the ISE GUI navigate to Administration > System > Admin Access > Authentication > Password Policy and uncheck ‘Administrator passwords expire # days after creation or last change'.
I hope this post has been useful in helping you plan a password reset within your ISE deployment.
If you find yourself in a position where you need to reset the application configuration and database of your Identity Services Engine node, here are a few suggestions for a little house cleaning before setting off on your journey.
Items to check off your list:
Winzip registration key crack. Am I regularly backing up my application, OS and monitoring data?
If not, you can perform an on-demand backup or create a backup schedule to fit your needs. This can be accomplished with the CLI or the GUI as demonstrated here.
What role does the ISE node that I intend to reset play in my deployment?
If you need to reset to configuration of an ISE node in a dual-node or distributed deployment, the node will need to be de-registered from the cluster. Be sure to record database user and database admin passwords, as they must be identical to all nodes in your deployment, when it comes time to re-register.
Decide which nodes will be shutdown first & reset passwords one by one on each node
This is a rather important step within a live environment because each ISE node will be taken offline while the .ISO is mounted and the passwords are changed.
Each deployment will differ so this article won't mandate which of your nodes should be shutdown first however, when I've performed this task in the past, I would normally start with shutting down PSN nodes. So here is what I would do with a typical distributed deployment:
- Shut one node down at a time
- Start with a PSN, ensuring NAD's will use another PSN in the event that one of the configure PSN's is not available. If load balancing is used then this should be taken care of
- Shutdown the first node and mount the .ISO as per Cisco documentation and dependant on whether it is a physical or virtual deployment.
- Power on the node, ensuring it will boot into the .ISO
- Reset the password for the necessary admin accounts as per Cisco documentation:
- Unmount the the .ISO
- Reboot the node
- Verify access to the device now using the CLI now that the password has been changed
- Verify all services are online before following the same steps again on other nodes
Change the GUI password (Optional)
The admin CLI and GUI password can be different. Some administrators are not aware of this and when one password is changed, they often think it will change for the other too but that is not the case. I think the assumption that this is the case stems from the initial install of ISE because you only configure the admin password once for the CLI and that is also used for the GUI.
If you would like to change the GUI password then either log into the ISE GUI and change the ISE password or if that password also needs resetting then access the CLI and enter the following command below or watch the video demonstration:
Disable admin password expiry (Optional)
By default, ISE admin accounts will expire after a specific period (45 days by default). The following screenshot shows you how to disable admin password expiry.
In the ISE GUI navigate to Administration > System > Admin Access > Authentication > Password Policy and uncheck ‘Administrator passwords expire # days after creation or last change'.
I hope this post has been useful in helping you plan a password reset within your ISE deployment.
If you find yourself in a position where you need to reset the application configuration and database of your Identity Services Engine node, here are a few suggestions for a little house cleaning before setting off on your journey.
Items to check off your list:
Winzip registration key crack. Am I regularly backing up my application, OS and monitoring data?
If not, you can perform an on-demand backup or create a backup schedule to fit your needs. This can be accomplished with the CLI or the GUI as demonstrated here.
What role does the ISE node that I intend to reset play in my deployment?
If you need to reset to configuration of an ISE node in a dual-node or distributed deployment, the node will need to be de-registered from the cluster. Be sure to record database user and database admin passwords, as they must be identical to all nodes in your deployment, when it comes time to re-register.
Does my ISE installation use CA issued certificates?
Certificates do not persist following an application reset. Local certificates and certificates within the Certificate Store can be exported, and later imported, following the application reset, as demonstrated here.
What version of ISE am I currently running?
**WARNING** There is currently a bug associated with ISE version 1.1.3, patch 1, when issuing the command 'application reset-config ise'
If you've already issued the 'application reset-config ise' and you're running 1.1.3 patch 1, your 'Home' page and 'Operations > Authentications' page may look similar to this.
Application Reset Passwd Ise Administrator
If you are resetting an ISE node that happens to be your acting primary admin node, then the functionality displayed above is less than desirable. I've been unable to track down an official Cisco bug associated with this issue. In fact, there is only one bug listed for 1.1.3 as of 6/4/2013, CSCuf21967, according to the Software Bug ToolKit.
To fix this issue, remove and re-add the patch from the affected node. If your using a multi-node deployment or a distributed deployment the patch will need to be removed from the primary admin node's GUI or from each node's CLI. The GUI option doesn't provide you with much of an indication of progress, so the CLI may be the preferred method. Your mileage may vary.
Application Reset Passwd Ise Admin Password
With the exception of ISE version 1.1.3, patch 1, if you are running ISE version 1.1.x, you can reset the application configuration without rendering your 'Home' and 'Operations > Authentications' pages unusable.
NOTE: when resetting a nodes application configuration, the database admin and database user passwords must be set to match all other nodes in your deployment, otherwise registration will fail.