Resetting Admin Password on a Cisco ISE Appliance

A great little “feature” of Cisco’s Identity Services Engine is that out of the box, the administrator account expires after 45 days if the password is not changed during that time. The documentation says that if you have trouble logging in you should click the “Problem logging in?” link and use the default administrative user/pass. This is of course ridiculous and does not work.

Below are the steps for properly resetting an admin password and for changing the security policy so the lockout doesn’t happen again.

ISE systems can be installed on dedicated server hardware or as virtual appliances under VMware vSphere. The box in my lab is a virtual appliance so these steps are going to reflect console access and rebooting of a VM.

#1 – Reboot from ISE DVD/ISO

UPDATE Oct 18 2015: This step is only necessary if you’re also locked out of the CLI. If you have a working CLI username/password, skip to step #3. If your CLI username/password aren’t working, you need to do a full password reset by following the steps below to get to the recovery console.

To get to the recovery console, the appliance needs to be booted from the ISE installation media. I had the ISO image handy so I used that. Now under vSphere, when the VM reboots, any media that was attached prior to the reboot is disconnected. The trick is to have the console window for the VM open in vSphere Client and hit the <F2> key when you see the VMware BIOS screen. With the machine sitting in the BIOS, it gives you time to reattach the ISE ISO to the DVD drive before the OS starts to load up.

Connect to ISO image on local disk

Also while in the BIOS, adjust the boot device order so it hits the CD-ROM drive before the hard drive.

CD-ROM before Hard Drive

If you’re doing a recovery on a physical appliance, you’ll probably still want to check your boot device order and also set it to boot from CD/DVD drive first.

Save your BIOS changes and boot the machine.

#2 – Reset Admin CLI Password

When the machine boots from the ISE DVD it will display a number of boot options.

ISE Boot Menu

If the appliance is a VM or is a physical appliance with a keyboard/mouse attached, choose #3. If the appliance is accessed via a serial console, choose #4.

The recovery menu now appears and asks which admin account to recover.

ISE Password Recovery Screen

Choose the account and enter a new password. This password will be used to log in on the appliance’s console. It does not work on the web UI.

Reboot the appliance now, making sure to eject/disconnect the DVD/ISO image so that it boots normally.

#3 – Reset the ISE GUI Admin Password

With the appliance booted normally, log in on the console using the CLI admin account. Remember: the console admin account is different than the web UI admin account. They have the same username but can have different passwords.

From the command prompt, use the command “application reset-passwd ise admin” to set a new web UI admin password.

Reset ISE Web UI Password

The screenshot above shows other options that can be used with the “application” command.

The web UI should now be accessible using the password that was just set.

Change the Password Lockout Policy

The default password policy says that admin accounts will be locked out if their passwords are not changed once every 45 days.

ISE Admin Lockout Policy

The lockout policy can be adjusted by navigating to Administration > System > Admin Access > Authentication > Password Policy.

Admin Password Policy in ISE 2.0
Admin Password Policy in ISE 2.0

The Password Policy screen hasn’t changed since ISE v1.1 and should work in all current versions of ISE.

Did I Need to Reset the CLI Admin or Am I Just Forgetful?

I confess, I’m not 100% sure that I needed to reset the CLI admin password. None of the passwords in my password safe were working on the CLI so it was either expired or I forgot to store the CLI password in the safe. If your web UI password doesn’t work, try starting from step #3 to see if you can avoid rebooting the appliance. Best case it works, worst case you start from step #1 and reset all the passwords.

UPDATE Oct 18 2015: Thanks to dileep and Joe S who commented that the CLI password is separate from the web UI password and that as long as you still have access to the CLI, there’s no need to do a full password recovery.

Disclaimer: The opinions and information expressed in this blog article are my own and not those of Cisco Systems.

65 thoughts on “Resetting Admin Password on a Cisco ISE Appliance”

  1. On the ISE appliance, there is no need for recovery cd. Just issue the command ‘application reset-passwd ise admin” and it will be fine to reset the password.

    Thanks so much guys, u have made my day.

        1. hi Joel

          I tried the same but it showing me like this.
          isetest-srv1/admin application reset-passwd cisco123 admin
          %Application Cisco123 is not installed
          can pls help to solve this issue .

          Thanks
          Ram Kumar

          1. @ Ram Kumar

            Your syntax is incorrect.

            ISE/admin# ISE/admin# application reset-passwd ?
            Application name to reset password (Max Size – 255)

            In the case of ISE, the application name is “ise” (without the quotes). You would then append after that the username whose password you wish to reset.

            For instance:

            application reset-passwd ise rkumar

            …would reset the password of user rkumar.

          2. Hi Ram. Your syntax is a little off. It should be:

            application reset-passwd ise admin

            It will then prompt you for the new password; don’t specifcy the password as part of the command.

  2. I am running ISE 1.1.2.145, and the Password Lockout Policy is located at:

    Administration\Identity Management\Settings\User Password Policy

    1. Hi mlan,

      True, there is a password policy page at that level. That policy only applies to end users who are being authenticated by ISE though and not admins accessing the web UI.

      You did make me go back and check if things changed between 1.0 and 1.1.x and they did. The proper menu is now Administration > System > Admin Access > Authentication > Password Policy.

      I’ll update the post, thanks!

    1. Hi Abel,

      I’m not sure exactly what you’re asking. There’s no password for the appliance itself. The passwords are all for the ISE software.

      The default webui user/pass is admin/cisco.
      There is no default CLI password as you have to set one when you do the installation. CLI username is admin.

  3. Hi

    We have primary and secondary. The primary is up and configured as the “primary”.

    The password for CLI and UI for the secondary expired. So, we reset the pw for the CLI, rebooted, and tried to reset the UI password (application reset-passwd ise admin” but received the error “Error! Password reset is only possible from STANDALONE or PRIMARY node”.
    I am not sure exactly what to do to resolve the issue.

    1. Hi Christine,

      The webui admin user is stored in the ISE DB which gets replicated from the primary node to the other nodes in the system. As long as the webui admin user account has not expired on the primary, you should be able to log into the secondary. If it’s expired, you need to reset it on the primary admin node.

      1. Hi We experiencing same thing, the problem why Christine is not able to change the password through the primary is because both primary and secondary at this point is not SYNC. and when we try to select and sync again it will not sync. we suspect it’s because of the username and password.

        our option, we think to log in to the secondary node and try to promote it as primary. however we don’t have the login. and cannot change through CLI as it’s a secondary node.

  4. How can we specificity password to earlier one i have tried to to reset old password to new one then again from cli i m trying to reset new password to Old password :P any idea how can i achieve same result i hv test ise so many students access it i dont want my email flooded with password request for new one i hope u will get my point

    1. Hi. I don’t quite understand your question. If you want to reset the password to the old password, just give it the old password on the CLI.

      1. i already changed password to new one but now i want to change again to old one any idea how can i do that

        here is cli o/p

        password-policy
        lower-case-required
        upper-case-required
        digit-required
        no-username
        disable-cisco-passwords
        min-password-length 6
        password-lock-enabled
        password-lock-retry-count 5

        and cli gives me this error but when i again type and apply old password it will give me this error
        Password can’t be set to one of the earlier 2 password(s)

        i dont have any idea it doest allow me to reset to old one i have also looked at cisco documentation but i didnt find any solution on that

        1. I’m not clear which password you’re trying to reset, app or CLI.

          The application/webUI password history cannot be disabled except in ISE 1.2 (and even then, I’m going on second hand information and haven’t verified it). So unless you’re on 1.2 you can’t reuse the same password without resetting the password a bunch of times to artificially clear the history.

  5. Adding to the thread – note that the 3400 series appliances have no DVD from which to boot. So password recovery on those requires creating a bootable 8 GB USB drive with the .iso.

  6. I randomly found my CLI-admin account password not working anymore, so I have been researching this topic again. I found a thread that mentioned scanning software in your enterprise could be disabling the CLI-admin account by attempting too many “admin” logins over SSH. That seems to be the case in my environment.

    From: https://supportforums.cisco.com/discussion/11564781/reset-ise-cli-password

    “If you have too many attempts from the CLI, it will lock out the CLI password and the only way to recover this DVD. This is especially when you have security scanning system scanning the ISE thus locking out the “admin” CLI account. Stupid Cisco.

    The work around is:

    nkiseu1/admin(config)# password-policy

    nkiseu1/admin(config-password-policy)# no password-lock-enabled

    nkiseu1/admin(config-password-policy)# end

    nkiseu1/admin#

    That will ensure the “admin” account will not lock out after excessive attempts.”

    1. Locking accounts after X amount of failed login attempts is standard across all software and vendors. It’s not a stupid Cisco thing :)

      1. The “Stupid Cisco” comment wasn’t my text, it was from the cisco support forums thread I linked. That said, most Linux distros do not lock accounts by default, neither does Windows local accounts. Anyway, I thought it might be helpful for those wondering why the account is randomly locked out. I also thought it might have been an answer for your last topic section titled: “Did I Need to Reset the CLI Admin or Am I Just Forgetful?”

    1. I wish I knew how to do this from the web UI. I can’t find it anywhere. I do know you can get it from the CLI via “show version”.

      1. It’s a bit convoluted but if you don’t have cli access (or someone local who can read it off for you), you can get the hardware model from a support log.

        operations > troubleshoot > download logs. Choose the node you want then under the support bundle tab select only the system logs. Provide an encryption key and create the bundle. Once it has finished processing, download it locally.

        Since you’ve had to encrypt it using GNU Privacy Guard (gpg), you’ll need to encrypt and extract. If you’re on windows, you will need something like Gpg4win. With that, decrypt the downloaded file. It will output the bundle to a structured directory with one of them being “showtech”. Navigate to that and you should see the file “showtech.out”. Open that with a plain text editor (I prefer Notepad++) and you will see right up near the top of the file the output of “show udi”:

        *****************************************
        Displaying UDI …
        *****************************************
        SNS-3495-K9

          1. Joel,

            Yes the “show tech” is similar detail to what you get from an IOS device – all the version info including build date, install date, patch level etc.

            5584 lines of output just for that one file in the support log from the PAN node in my deployment.

            1. Ok, this is embarrasing because it seems so obvious now, but you can see the version in the web UI by mousing over the name of the server along the very top bar of the screen. It’ll open a little popup that shows the version and the personas and so on.

  7. hey guys, who has encounted this problem..
    i am able to retrieve groups from cisco ISE but i am unable to save the groups.

    everything is working okay. what could be the proble.

  8. to be precise, i am using cisco ise 1.3

    i think i have followed this guild and have exhausted my knowledge i finding possible solution… pls i need help so i can save the adomain groups in cisco ISE.

  9. I’m in the same boat. Loaded NFR ISE v1.3 on VmWare ESXi 5.5, cli admin password is good to go, but now that i’ve tried to login to the https://ise01/admin page it says my admin password has expired and needs to be reset.

  10. Ok… Here is the update: I’m running ISE 1.3 from the NFR OVA file.
    After you have everything up and running within VmWare – NTP, domain-name, IP’s etc. You need to reset the GUI/UI admin password to login to the webpage administration portion. Here is how you do it from CLI , this method will not reset the admin CLI password, it will only reset the WEB/GUI/UI admin pasword.
    Notes:
    admin = the name I choose for the GUI administration
    ISE = the application ie… this is the ISE server
    ise/admin# application reset-passwd ise admin

    Here is a link if you wanna read it: http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_chapter_0110.html#ID-1412-0000003f

    1. Hey Joe,

      I wonder if that’s just something funky with the NFR bits because I did not have to reset the web admin password on any installation I’ve done. And the cisco.com link you pasted also gives no indication of needing to reset the password on first login.

      Curious, does the NFR version let you install with less vRAM and vCPU than the regular version?

      1. Joel, you are absolutely right in concluding that my issue might have been due to the NFR versioning that i have. I also had a tough time wrapping my mind around how it was all done, so I might have locked myself out of the web-admin portion, but this is more-than-likely not the case because I was told that my password expired the first time I tried to login to the webadmin portion of the ISE.
        Being that I deployed the OVA portion of the NFR-1.3 ISE I could only change the vRAM and vCPU’s but not the HDD space. it provisions 600GB by default and 16GB RAM and 1 Socket 4 Cores from what I recall.
        I was able to modify my VM to 2 Sockets,2Cores, 4GB vRAM and 2 NIC’s versus the 4 NICS that they default too.

  11. Hi all,

    am now in the same boat,

    I have the ISE Appliance 1.3, and the Web GUI password expired and my colleague who install it now forgotten the Cli Password.

    I wanted to recover but the Appliance got no DVD ROM. I need to create a bootable USB Drive. Can anyone help me o this bootable USB Drive.

    Mohan

    1. Mohan, google “create bootable usb” or something similar. There are lots of instructions and tools for doing this in Windows, Linux and OS X.

    2. No need to create some kind of disk, all you need to do is login to the cli via ssh and change the web admin password. The CLI admin password and the web admin password are separate, all you need is the cli password.

      I thought I put the configuration to fix this into this blog, but maybe not. Let us know if you cannot figure this out. Once you finally get in you can change the requirement to change the web admin password every 45 days or what not by turning off the requirement.

      Best regards,
      Joe S.

    3. Guys,

      Updating my earlier reply – the SNS-3400 series appliances without a DVD drive are based on UCS C-series servers.

      As such, we can use the Cisco Integrated Management Controller (CIMC) interface to attach a virtual disk (in this case, the ISE ISO image) and choose it to boot from during a system restart.

  12. hi , i forgot my CLI PASSWORD and i dont have the CD too , how is possible to change or reset the password and put a new password , i kept ADMIN as userid

    1. Hi Mike,

      Go to cisco.com/go/ise, choose “Software Downloads” on the right, choose your version of ISE, find the “full installation” ISO and download it.

      If your server has a DVD drive, burn a DVD and boot it. Otherwise burn a USB stick and boot from that. Google can help you find free tools to burn the ISO file to a USB drive.

  13. Dear Joel Knight,

    i have sns-3415-k9 and at sudden of time, both my cli&gui passwords are not working.. which means account is locked out, i tried to follow your nice post, but my devices does not have a DVD player so i can do the recovery based on what you’ve explained.

    need your support.

    Thank you

    1. Hi azuz,

      Mike (right above your comment) had a similar issue. If you follow the download instructions and burn a USB stick with the ISO, you’ll be able to boot the box and do the recovery.

  14. Good stuff man, i just used your guideline to change my CLI password. Had a little trouble to issue the F2 from a Mac but I forced the VM to boot into BIOS from the Edit Setting menu of the ISE VM and don’t have to worry about pressing F2.

    Ljupcho

  15. Hi All, there are 2 ISE nodes with HA in my environment. I can login both with WebUI. But I only can login primary node with ssh. And I cannot access secondary node with ssh. As my understanding, configuration should be sync since we are using HA mode. Please advise me :)

  16. Hello,
    after the cisco ise installation , it asks me ise login and password . I type ise login = admin and password = cisco but it does not
    work ,help me please.

    1. Hi. It’s been ages since I did an install. Doesn’t the installer ask you for a username and password? Did you try that? Can you ask clarify if you’re logging in on CLI or via web.

  17. @ malek:

    Like Joel said – there’s no default password. During the installation process you are required to set a password for the built-in cli admin user. That user account is automatically synced from cli to the GUI admin user during installation. You can then log into the GUI (or cli) using username “admin” and the password you set.

  18. I had this issue, and still have it. ISE 1.4 GUI access is fine, but SSH is not.
    tried the DVD but did not get password change options.

    these should be the same, but if the SSH admin is locked out, there is no way to get into the ISE, really dull method from Cisco here..

    1. Hi James, I’d be curious to know what options you did see when you booted the DVD. I recently forgot the SSH passwd for one of my lab boxes and I’m pretty sure I recovered it by booting the ISO and doing a reset.

Leave a Reply

Your email address will not be published. Required fields are marked *

Would you like to subscribe to email notification of new comments? You can also subscribe without commenting.