top of page

Cisco ISE | Secure Unlock Client mechanism

Secure Unlock Client mechanism provides root shell access on Cisco ISE Command Line Interface (CLI) for a certain period of time. As soon as the session is closed or exited, the root access is also revoked. The Secure Unlock Client feature has been implemented using the Consent Token tool. Consent Token is a uniform multi factor authentication scheme to securely grant privileged access for Cisco products in a trusted manner, and only after mutual consent from both customer and Cisco.


To access the root of the Cisco ISE CLI, use the permit rootaccess command in EXEC mode.


⚠️💥 Root access is limited because ISE is a security product granting network access and control. Due to the scope and possible impact while in root, it's advised that root is only accessed while being supervised by TAC engineers. Cisco does not provide root access for customer ISE deployments unless used specifically by the TAC or BE for troubleshooting or providing patches to the customer ISE deployment.  Root access is carefully monitored and is to be used by the TAC or BE only. 💥⚠️


The following example shows how to access the root of the Cisco ISE CLI:

ISE/admin# permit rootaccess

1. Generate Challenge Token Request

2. Enter Challenge Response for Root Access

3. Show History

4. Exit

Generate the Consent Token Challenge by choosing option 1:

1. Generate Challenge Token Request 2. Enter Challenge Response for Root Access 3. Show History 4. Exit Enter CLI Option: 1 Generating Challenge..................................... Challenge String (Please copy everything between the asterisk lines exclusively): ***************************************************************************************** GLOX7gAAAQEBAAQAAQUABAAADTFmZmEtOWI0ZS0wZjY1LTdlZDllMGQ1M2UzNQo= ***************************************************************************************** Starting background timer of 15mins 1. Generate Challenge Token Request 2. Enter Challenge Response for Root Access 3. Show History 4. Exit Enter CLI Option:

You must submit the Challenge Token Request as a part of TAC case to obtain the Challenge Response. This TAC case is valid only for 15 minutes. If you did not receive a Challenge Response within 15 minutes, then you must submit it again. The root access received from TAC will be locked by the challenge/response process once you exit the root level access.Send the Consent Token Challenge to the Cisco Technical Assistance Center (TAC):


Send the Consent Token Challenge to the Cisco Technical Assistance Center (TAC):

Cisco TAC will generates Consent Token Response using the Consent Token Challenge you provided.

Choose option 2 and then enter the Consent Token Response provided by the Cisco TAC:

Enter CLI Option:

2

Please input the response when you are ready .........................

vxOOQQAAAQEBAAQAAxUzN0Wm5GTlpaRHFyYm0NCkNVS2VyUXE5ZW1RemFrZytaU3F6dkE9PQ==

Response Signature Verified successfully !

Granting shell access

The privileged access is enabled if response signature verification is successful.


In the example below, I will delete a certificate:

sh-4.2# su - oracle

[oracle@ISE~]$ sqlplus /@cpm10;

SQL>

Checking the certificates:

SQL> Select ID,FRIENDLYNAME from UPSLOCALCERTIFICATE;


ID

------------------------------------

FRIENDLYNAME

--------------------------------------------------------------------------------

b846cf67-f4d9-4b71-a985-654d9d5aabb

CN=ise.STENGE.com.br#TrustSign BR Certification Authority (DV) 2#0000


Deleting:

​SQL> Delete from UPSLOCALCERTIFICATE_ISEROLES where ID='b846cf67-f4d9-4b71-a985-654d9d5aabb';


Delete from UPSLOCALCERTIFICATE where ID='b846cf67-f4d9-4b71-a985-654d9d5aabb';


Commit;

1 row deleted.


SQL> SQL>

1 row deleted.


SQL> SQL>


Commit complete.

Exit the root mode and restart the process:

SQL> end

[oracle@ise ~]$ exit

sh-4.2# exit

ise/admin# application stop ise

ise/admin# application start ise

ise/admin# show app status ise


gif

40 views0 comments

Recent Posts

See All

ISE Repositories can be configured from both the GUI and the CLI of the ISE and can be used for these purposes: ➛ Backup and Restore of ISE Configuration and Operational data; ➛ Upgrade of ISE nodes;

The Cisco Integrated Management Interface (CIMC) permits monitoring of the server inventory, health, and system event logs using the built-in Cisco Integrated Management Controller (CIMC) GUI or CLI i

Cisco ISE Upgrade Readiness Tool (URT) helps detect and fix any data upgrade issues before you start the upgrade process. Most of the upgrade failures occur because of data upgrade/corruption issues.

bottom of page