Cisco ISE Password Recovery

Cisco Identity Services Engine (ISE) has by default one single user for accessing GUI: admin (default password: ‘default’). Many accounts can be created from GUI and different accounts can have different roles/rights. Besides from that, there is an admin-account in CLI as well. It it important to note that this is NOT the same account even though both usernames are ‘admin’. The CLI admin-password is specified during setup, and the GUI admin-password is changed at first GUI-login.


So, what happens when the admin (or any other) password is lost? In the early versions of ISE 1.0 there was no way to recover the GUI-password but since version 1.04 (see release-notes) there is a CLI-command to reset the password of any GUI user. The command is ‘application reset-passwd ise <username>’:
Reset GUI admin-password from CLI


lab-ise/admin# application reset-passwd ise admin
Enter new password:
Confirm new password:
Password reset successfully.


Now, what if we loose the password for the CLI-admin? Well, there is a solution for that too. First of all we need console access to ISE. If it is a VM we need to get into the Vsphere Client and if it is an appliance we need to walk to the server room and connect a VGA-monitor and keyboard to the box. Second, this cannot be solved without rebooting the box (which of course breaks any services depending upon the ISE-instance). By booting from the installation media (DVD or .iso image). From there, there is an option to reset the CLI admin-user…







Rest CLI admin-password by rebooting ISE




Default password policy

Note that there is a default setting in ISE password policy that require the admin-user (GUI-user!) login every now and then and change its password to prevent the account from being locked out. I am curious about why this setting is enabled by default…