Cisco Identity Services Engine (ISE) has by default one single user for accessing GUI: admin (default password: ‘default’). Many accounts can be created from GUI and different accounts can have different roles/rights. Besides from that, there is an admin-account in CLI as well. It it important to note that this is NOT the same account even though both usernames are ‘admin’. The CLI admin-password is specified during setup, and the GUI admin-password is changed at first GUI-login.
So, what happens when the admin (or any other) password is lost? In the early versions of ISE 1.0 there was no way to recover the GUI-password but since version 1.04 (see release-notes) there is a CLI-command to reset the password of any GUI user. The command is ‘application reset-passwd ise <username>’:
Reset GUI admin-password from CLI
lab-ise/admin# lab-ise/admin# lab-ise/admin# lab-ise/admin# application reset-passwd ise admin Enter new password: Confirm new password: Password reset successfully. lab-ise/admin#
Now, what if we loose the password for the CLI-admin? Well, there is a solution for that too. First of all we need console access to ISE. If it is a VM we need to get into the Vsphere Client and if it is an appliance we need to walk to the server room and connect a VGA-monitor and keyboard to the box. Second, this cannot be solved without rebooting the box (which of course breaks any services depending upon the ISE-instance). By booting from the installation media (DVD or .iso image). From there, there is an option to reset the CLI admin-user…
Rest CLI admin-password by rebooting ISE
Default password policy
Note that there is a default setting in ISE password policy that require the admin-user (GUI-user!) login every now and then and change its password to prevent the account from being locked out. I am curious about why this setting is enabled by default…