Secure Unlock Client mechanism provides root shell access on Cisco ISE Command Line Interface (CLI) for a certain period of time. As soon as the session is closed or exited, the root access is also revoked. The Secure Unlock Client feature has been implemented using the Consent Token tool. Consent Token is a uniform multi factor authentication scheme to securely grant privileged access for Cisco products in a trusted manner, and only after mutual consent from both customer and Cisco.
To access the root of the Cisco ISE CLI, use the permit rootaccess command in EXEC mode.
⚠️💥 Root access is limited because ISE is a security product granting network access and control. Due to the scope and possible impact while in root, it's advised that root is only accessed while being supervised by TAC engineers. Cisco does not provide root access for customer ISE deployments unless used specifically by the TAC or BE for troubleshooting or providing patches to the customer ISE deployment. Root access is carefully monitored and is to be used by the TAC or BE only. 💥⚠️
The following example shows how to access the root of the Cisco ISE CLI:
ISE/admin# permit rootaccess 1. Generate Challenge Token Request 2. Enter Challenge Response for Root Access 3. Show History 4. Exit |
Generate the Consent Token Challenge by choosing option 1:
1. Generate Challenge Token Request 2. Enter Challenge Response for Root Access 3. Show History 4. Exit Enter CLI Option: 1 Generating Challenge..................................... Challenge String (Please copy everything between the asterisk lines exclusively): ***************************************************************************************** GLOX7gAAAQEBAAQAAQUABAAADTFmZmEtOWI0ZS0wZjY1LTdlZDllMGQ1M2UzNQo= ***************************************************************************************** Starting background timer of 15mins 1. Generate Challenge Token Request 2. Enter Challenge Response for Root Access 3. Show History 4. Exit Enter CLI Option: |
You must submit the Challenge Token Request as a part of TAC case to obtain the Challenge Response. This TAC case is valid only for 15 minutes. If you did not receive a Challenge Response within 15 minutes, then you must submit it again. The root access received from TAC will be locked by the challenge/response process once you exit the root level access.Send the Consent Token Challenge to the Cisco Technical Assistance Center (TAC):
Send the Consent Token Challenge to the Cisco Technical Assistance Center (TAC):
Cisco TAC will generates Consent Token Response using the Consent Token Challenge you provided.
Choose option 2 and then enter the Consent Token Response provided by the Cisco TAC:
Enter CLI Option: 2 Please input the response when you are ready ......................... vxOOQQAAAQEBAAQAAxUzN0Wm5GTlpaRHFyYm0NCkNVS2VyUXE5ZW1RemFrZytaU3F6dkE9PQ== Response Signature Verified successfully ! Granting shell access |
The privileged access is enabled if response signature verification is successful.
In the example below, I will delete a certificate:
sh-4.2# su - oracle [oracle@ISE~]$ sqlplus /@cpm10; SQL> |
Checking the certificates:
SQL> Select ID,FRIENDLYNAME from UPSLOCALCERTIFICATE; ID ------------------------------------ FRIENDLYNAME -------------------------------------------------------------------------------- b846cf67-f4d9-4b71-a985-654d9d5aabb CN=ise.STENGE.com.br#TrustSign BR Certification Authority (DV) 2#0000 |
Deleting:
SQL> Delete from UPSLOCALCERTIFICATE_ISEROLES where ID='b846cf67-f4d9-4b71-a985-654d9d5aabb'; Delete from UPSLOCALCERTIFICATE where ID='b846cf67-f4d9-4b71-a985-654d9d5aabb'; Commit; 1 row deleted. SQL> SQL> 1 row deleted. SQL> SQL> Commit complete. |
Exit the root mode and restart the process:
SQL> end [oracle@ise ~]$ exit sh-4.2# exit ise/admin# application stop ise ise/admin# application start ise ise/admin# show app status ise |