ISE GUI Password Reset
Okay... so this one bit me again this morning... By default, ISE has this "feature" where the GUI login expires automatically after 45 days... awesome... ok, no big deal, I'll just reset it again.
I remembered that the GUI password needed to be reset from the ISE CLI, but forgot that there was a special command to do so.
When you log into the ISE CLI, you have very a very similar look at feel as you do in IOS routers and switches. Also, when you run the command "show run" you see very similar output and even some usernames and passwords:
Last login: Mon Feb 13 18:34:54 2017
Failed to log in 1 time(s)
Last failed login on Mon Feb 13 18:13:00 2017 from tty1
ISE-LAB/LABadmin#
ISE-LAB/LABadmin# sh run
Generating configuration...
!
hostname ISE-LAB
!
ip domain-name labnetworks.com
!
***(Output omitted for brevity)***
!
ip name-server 10.100.100.40
!
ip default-gateway 10.100.21.1
!
clock timezone UTC
ntp server 10.100.100.40
!
username LABadmin password hash $5$dSEBPzEi$FX4..vcQPM8CX9dmT/t4WTUAboZ4RLS4yKFxurJ1ld0 role admin
username wirelessadmin password hash $5$ZERI8LPQ$Cz4tAHMGVTlvEy01wvusNj0vYhmf7Ps55Jibgl/Cvv/ role admin
!
max-ssh-sessions 5
!
service sshd enable
!
--More--
ISE-LAB/LABadmin#
So, one would think you just need to reset the GUI login by changing the "username" lines in the config above, right?
Nope... those are just logins for the CLI.
Instead, you need to issue a password-reset command on the CLI for the GUI username you are trying to reset.
ISE-LAB/LABadmin# application reset-passwd ise wirelessadmin
Enter new password:
Confirm new password:
Password reset successfully.
ISE-LAB/LABadmin#
To clarify a bit more on this, the "wirelessadmin" username you see above in the CLI config, is actually not the same as the "wirelessadmin" login I just reset. in fact, they are 2 separate usernames although they are the same. I've seen in many customer environments where both the CLI and GUI login credentials are the same (I am often guilty of this myself) and this is partially why this scenario can be confusing and frustrating, unless you remember that you need to issue the "application reset-passwd ise {username}" command in order to reset the GUI login.
One possible option to avoid this happening in the future is to disable the automatic GUI login expiration, but check first with your security group as this may not be permissible.
If you can disable this "feature" simply do this:
Navigate in the GUI to:
Administration > Admin Access> Password Policy>
and then uncheck the box:
Administrator passwords expire ___45___ days after creation or last change (valid range 1 to 3650)
Okay... so this one bit me again this morning... By default, ISE has this "feature" where the GUI login expires automatically after 45 days... awesome... ok, no big deal, I'll just reset it again.
I remembered that the GUI password needed to be reset from the ISE CLI, but forgot that there was a special command to do so.
When you log into the ISE CLI, you have very a very similar look at feel as you do in IOS routers and switches. Also, when you run the command "show run" you see very similar output and even some usernames and passwords:
Last login: Mon Feb 13 18:34:54 2017
Failed to log in 1 time(s)
Last failed login on Mon Feb 13 18:13:00 2017 from tty1
ISE-LAB/LABadmin#
ISE-LAB/LABadmin# sh run
Generating configuration...
!
hostname ISE-LAB
!
ip domain-name labnetworks.com
!
***(Output omitted for brevity)***
!
ip name-server 10.100.100.40
!
ip default-gateway 10.100.21.1
!
clock timezone UTC
ntp server 10.100.100.40
!
username LABadmin password hash $5$dSEBPzEi$FX4..vcQPM8CX9dmT/t4WTUAboZ4RLS4yKFxurJ1ld0 role admin
username wirelessadmin password hash $5$ZERI8LPQ$Cz4tAHMGVTlvEy01wvusNj0vYhmf7Ps55Jibgl/Cvv/ role admin
!
max-ssh-sessions 5
!
service sshd enable
!
--More--
ISE-LAB/LABadmin#
So, one would think you just need to reset the GUI login by changing the "username" lines in the config above, right?
Nope... those are just logins for the CLI.
Instead, you need to issue a password-reset command on the CLI for the GUI username you are trying to reset.
ISE-LAB/LABadmin# application reset-passwd ise wirelessadmin
Enter new password:
Confirm new password:
Password reset successfully.
ISE-LAB/LABadmin#
To clarify a bit more on this, the "wirelessadmin" username you see above in the CLI config, is actually not the same as the "wirelessadmin" login I just reset. in fact, they are 2 separate usernames although they are the same. I've seen in many customer environments where both the CLI and GUI login credentials are the same (I am often guilty of this myself) and this is partially why this scenario can be confusing and frustrating, unless you remember that you need to issue the "application reset-passwd ise {username}" command in order to reset the GUI login.
One possible option to avoid this happening in the future is to disable the automatic GUI login expiration, but check first with your security group as this may not be permissible.
If you can disable this "feature" simply do this:
Navigate in the GUI to:
Administration > Admin Access> Password Policy>
and then uncheck the box:
Administrator passwords expire ___45___ days after creation or last change (valid range 1 to 3650)