ISE Password Recovery Mechanisms
ISE Password Recovery Mechanisms
Components Used
Additional Content
ISE GUI Password Recovery Mechanism
Introduction
This document describes different mechanisms for password recovery for Identity Services Engine
(ISE) CLI and GUI based on the type of appliance.
Prerequisites
Requirements
Components Used
• ISE virtual machine (VMware version 8 (default) for ESXi 5.x (5.1 U2 minimum) )
• ISE 3500 series appliance (ISE-3515-K9 / ISE-3595-K9)
• SNS-3600 series appliance (SNS-3615-K9 /SNS-3655-K9/SNS-3695-K9 )
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, ensure
that you understand the potential impact of any command.
Step 3. Right-click ISE VM from the list and select Edit Settings.
Step 4. In the dialog box, navigate to Virtual Hardware > CD/DVD, browse to the ISE version ISO under
datastore ISO file.
Step 5. Click Connect At PowerOn as shown in the image.
Step 6. Navigate to Options > Boot options, enable the option Force BIOS Setup as shown in the image here, and
click OK to continue.
Step 7. Power on the ISE VM and monitor the VM console for BIOS prompt.
Step 8. Change the boot order of CD-ROM Drive and bring it to the first position.
Cisco ISE supports these VMware servers and clients:
• VMware version 8 (default) for ESXi 5.x (5.1 U2 minimum) is the version to 9 or later. RHEL 7 is
supported with VMware hardware version 9 and later.
Step 9. Hit the Enter button to save new boot order settings and exit the BIOS configuration mode. Select
option 3 from the ISE Installer page to start System Utilities (Keyboard/Monitor).
Step 10. Select Option 1 from System Utilities to recover the Administrator Password. Option 1 provides the
list of administrators accounts configured on ISE device.
Step 11. Select Option 1 for username admin and enter a new password. Enter y to save the new password
and continue to System Utilities page.
Enter q to exit the System Utilities page.
Step 12. Click Enter to boot the ISE from the current hard disk.
Step 13. (Optional). Execute steps 6-8 in order to restore boot order to the hard drive as the first option
after successful password recovery. This step is required so that you do not have to enter the admin
password recovery prompt every time an ISE VM is rebooted.
Note: If the new password does not work after you have followed the aforementioned steps, wait for
15-30 minutes before you attempt to sign in to the ISE CLI.
There are three types of SNS 3600 series appliances which support ISE:
• SNS-3615
• SNS-3655
• SNS-3695
There are two methods to recover password on SNS 3600 Series appliances:
• Password recovery through the use of Cisco Integrated Management Controller (CIMC)
• Password recovery through the use of a bootable USB
This Password Recovery method requires CIMC configuration setup on 36XX series hardware. Refer to
Setting Up the System With the Cisco IMC Configuration Utility to know more about CIMC configuration
steps.
Use CIMC connection to manage Cisco SNS-35XX and SNS-36XX appliances. KVM utility through CIMC
connection can be used to perform all operations including BIOS configuration on Cisco SNS-35XX or
Cisco SNS-36XX appliance.
Step 1. Use the ports that were selected in NIC Mode setting to connect Ethernet cables from the LAN to the
server. The Active-active and Active-passive NIC redundancy settings require to connect to two ports.
Detailed information is provided in CIMC configuration guide.
Step 2. Use a browser and the IP address of the CIMC to log in to the CIMC Setup Utility. The IP address is
based upon CIMC config settings which were made during CIMC configuration steps(either a static address
or the address assigned by your DHCP server).
Note: The default user name for the server is admin. The default password is password.
Step 3. Enter the username and password in order to log in to the CIMC portal.
Step 6. Click Create Image to select the current ISE version ISO from the system that runs your client browser.
Step 7. Check the Mapped check box against the virtual CD/DVD drive which is created.
Step 8. Choose Macros > Ctrl-Alt-Del to boot the Cisco SNS-35XX or Cisco SNS-36XX appliance through use
of the ISO image.
Step 9. Press F6 to bring up the boot menu. A similar screen appears as shown in this image.
Step 10. Select the CD/DVD that is mapped and press Enter. The message is displayed here.
Step 11. Select option 3 or option 4 (enter 3 for keyboard and video monitor connected to the appliance, or
enter 4 if access is through a local serial console port connection):
Select Option 1 from the screen here and proceed.
Step 12. Select the required username from the list and press enter to reset the password.
Admin username:
[1]:admin
[2]:admin2
[3]:admin3
[4]:admin4
Enter number of admin for password recovery:2
Password:
Verify password:
Save change and reboot? [Y/N]:y
Before You Begin: Create a bootable USB drive. See Create a Bootable USB Device to Install Cisco ISE.
Step 2. Plugin the bootable USB drive that has the bootable Cisco Secure ISE ISO image into the USB port.
Step 3. Restart SNS-35XX appliance and navigate to the BIOS mode on console.
Step 7. Select option 3 or option 4 (enter 3 if connected through keyboard and a video monitor or enter 4 for
a local serial console port connection):
Step 8. Select option 1 to start the administrator password recovery menu.
Step 9. Select the correct username from the list and press enter to reset the password.
Admin username:
[1]:admin
[2]:admin2
[3]:admin3
[4]:admin4
Enter number of admin for password recovery:2
Password:
Verify password:
Save change and reboot? [Y/N]:y
Password reset is completed.
Additional Content
ISE GUI Password Recovery Mechanism
Note: Remember that the console admin account is different than the web UI admin account. They
have the same username but can have different passwords.
Step 2. From the command prompt, use the application reset-passwd ise admin command to set a new web UI
admin password.
Step 5. To confirm that the new password works, use the new password to log in to GUI.