Solved: ISE does not preserve "Admin" password changes after reboot

rezaalikhani · ‎12-29-2023

Hi all;

Consider you want to login to your ISE in CLI mode and your "Admin" password has expired. ISE provides you with password changing procedure and you successfully change your password. As I know, there is no "write memory" or "copy running-config startup-config" in ISE 3.2 and as Cisco's documentation, ISE should preserve the changes automatically. But in my case, after changing the password and then rebooting the box, ISE complains again expired "Admin" password.

Any ideas?

Thanks

rezaalikhani · ‎01-10-2024

Thanks for your support;

The problem was solved by following the procedure below:

Logged into the CLI of the ISE and changed the password by following the prompts it provided me (because the password had expired).
Using "username" command changed the password again.
Instead of halting ISE, this time I reloaded it, and something interesting occurred. ISE prompted me to save the configuration, and after pressing Enter, it notified me that the configuration changes had been successfully saved to the startup config.
ISE reloaded as normal and now I can log in to it as my latest password.

The interesting thing was that when I executed the "halt" command, it did not force me to accept writing changes to the startup config.

View solution in original post

Ruben Cocheno · ‎12-29-2023

@rezaalikhani

After login type password and change it again, reboot the box and check it. Also check the Password Policy on GUI as adjust it as required.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

Marcelo Morais · ‎12-29-2023

Hi @rezaalikhani ,

please take a look at CSCwd73787 CLI password change doesnt persist in Confd DB after "password" command., fixed on ISE 3.2 P1.

Hope this helps !!!!

rezaalikhani · ‎12-30-2023

I use ISE 3.2 Patch 4.

hslai · ‎01-01-2024

@rezaalikhani Are you able to log back-in right after updating the password but before rebooting? If so, please use the CLI exec command "show running-config username" before the reloading and after. I tried changing the CLI password on one of my ISE 3.2 Patch 4 nodes and it worked fine as expected.

BTW, is this ISE upgraded from an earlier ISE release?

rezaalikhani · ‎01-04-2024

Yes, i have upgraded from previous patch versions as follows:

hslai · ‎01-09-2024

@rezaalikhani Are you able to compare the username line before and after reload? I meant ISE regular releases but not patch releases. Use ISE admin CLI command "show version history".

At this point, please engage Cisco Support if not already done so.

rezaalikhani · ‎01-10-2024

Thanks for your support;

The problem was solved by following the procedure below:

Logged into the CLI of the ISE and changed the password by following the prompts it provided me (because the password had expired).
Using "username" command changed the password again.
Instead of halting ISE, this time I reloaded it, and something interesting occurred. ISE prompted me to save the configuration, and after pressing Enter, it notified me that the configuration changes had been successfully saved to the startup config.
ISE reloaded as normal and now I can log in to it as my latest password.

The interesting thing was that when I executed the "halt" command, it did not force me to accept writing changes to the startup config.