You need a second ISE node CLI admin account

It’s a scenario I’ve seen pretty often. You try to log into the CLI of an ISE node (SSH or console) with the admin account and the login fails. You verify that the password is correct. The problem is that you’ve been locked out due to too many failed logins. Unfortunately, the only solution you have is to reboot the node using an installation ISO and go through a password recovery. It’s not a difficult process but it does require downtime for that node.

I have seen this more often than not caused by security scanners. Businesses like to test their systems for vulnerabilities. The ISE node isn’t excluded from the scan and a brute force attempt is made by the scanner to log into the node using an SSH session. This causes the CLI admin account to become locked. If they had utilized a second (or even third) CLI admin account, they could have logged in and reset the default admin account.

The process for adding additional CLI logins is simple. Log into the ISE node CLI and run the following commands:

configure terminal
username <new user> password plain <password> role admin

It’s important to add role admin to the end. If you put role user, the account you create will have restricted access to CLI commands (ie no configuration commands). Be sure to test your new user account before you actually need it.

Share this post:

One thought on “You need a second ISE node CLI admin account

Leave a Reply

Your email address will not be published. Required fields are marked *