Diniz Martins
Dec 16, 20222 min
Secure Unlock Client mechanism provides root shell access on Cisco ISE Command Line Interface (CLI) for a certain period of time. As soon as the session is closed or exited, the root access is also revoked. The Secure Unlock Client feature has been implemented using the Consent Token tool. Consent Token is a uniform multi factor authentication scheme to securely grant privileged access for Cisco products in a trusted manner, and only after mutual consent from both customer and Cisco.
To access the root of the Cisco ISE CLI, use the permit rootaccess command in EXEC mode.
⚠️💥 Root access is limited because ISE is a security product granting network access and control. Due to the scope and possible impact while in root, it's advised that root is only accessed while being supervised by TAC engineers. Cisco does not provide root access for customer ISE deployments unless used specifically by the TAC or BE for troubleshooting or providing patches to the customer ISE deployment. Root access is carefully monitored and is to be used by the TAC or BE only. 💥⚠️
The following example shows how to access the root of the Cisco ISE CLI:
Generate the Consent Token Challenge by choosing option 1:
You must submit the Challenge Token Request as a part of TAC case to obtain the Challenge Response. This TAC case is valid only for 15 minutes. If you did not receive a Challenge Response within 15 minutes, then you must submit it again. The root access received from TAC will be locked by the challenge/response process once you exit the root level access.Send the Consent Token Challenge to the Cisco Technical Assistance Center (TAC):
Send the Consent Token Challenge to the Cisco Technical Assistance Center (TAC):
Cisco TAC will generates Consent Token Response using the Consent Token Challenge you provided.
Choose option 2 and then enter the Consent Token Response provided by the Cisco TAC:
The privileged access is enabled if response signature verification is successful.
In the example below, I will delete a certificate:
Checking the certificates:
Deleting:
Exit the root mode and restart the process: