Reset admin password in Cisco ISE in CLI (Vmware)

There will be occasions that you forget the admin password or you got locked out and the only option option left is to reset the admin password.Follow below steps to reset your password 

NOTE : Below steps were tried on ISE 1.3

Recommended : For safety I prefer to take a VM snapshot before proceeding.

To take a Snapshot in the vSphere Client

1. Right click on the  Virtual Machine and choose option  Snapshot > Take Snapshot.
2. Type a name for the snapshot.
3. Type a description for the snapshot.
Adding a date and time or a description, for example, "Snapshot before applying XYZ patch," can help you determine which snapshot to restore or delete.
4.Click OK

Revert to a Snapshot in the vSphere Client

1.Right-click a virtual machine in the vSphere Client inventory and select Revert to Current Snapshot.

Password Recovery for ISE virtual machine

Step 1. Download  the ISO file of the current ISE version form Cisco software download site and upload it to the virtual machine's datastore.
Step 2. Power off  the virtual machine.
Step 3. Right Click ISE VM from the list and select Edit settings.
Step 4. In the virtual Machine properties window, navigate to  Hardware > CD/DVD, then select option Datastore ISO file and click on browse to the ISE version ISO under datastore ISO file.
Step 5. Click Connect At Power On  option.
Step 6. Navigate to Options tab in the same virtual machine properties window> go to Boot options, enable the option for FORCE BIOS Setup [The next time the virtual machine boots,force entry to bios setup screen and Click Ok. [Or you can press F2 or F12 continously while booting]
Step 7. Power on the VM and open VM console.
Step 8. You get a BIOS prompt.
Step 9. Change the order of CD-ROM Drive to be before the hard drive. [You can change the setting using + or - keys] and hit F10 to save the settings 

Step 10. On the next screen you get the options, as shown in this image.
Step 11. Select Option 3. You are prompted on this screen.

Select Option 1 for username admin and enter new password.

After successful password reset. it redirects you to the prompt shown in Step 10
Step 12. Click Enter in order to boot the ISE from existing hard disk.
Step 13. (Optional). You can redo steps 6-8  in order to restore the boot order to the hard drive as first option after successful password recovery in order to avoid  entering the  admin password recovery prompt every time a user access ISE VM console.

While doing the password recovery once we faced a situation that we didnt see the option to in step 11 [Select Option 1 for username admin and enter new password.].We tried to reboot again and was not getting option to reset admin password.Instead of that it was asking to set a new username and password.Even you enter a new username and password ,ISE used to get stuck in the loading screen in VMconsole.We restored the VMsnapshot and did the steps as per the procedure and we were able to 

Short note on basic Cisco ISE (Identity Services Engine) Features

Cisco ISE (Identity Services Engine) is a security policy management platform that provides secure access to network resources. Cisco ISE functions as a policy decision point and enables enterprises to ensure compliance, enhance infrastructure security, and streamline service operations. Cisco ISE allows enterprises to gather real-time contextual information from networks, users, and devices.Cisco ISE Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance

Identity-Based Network Access

The Cisco ISE solution provides context-aware identity management in the following areas:
• Cisco ISE determines whether users are accessing the network on an authorized, policy-compliant device.
• Cisco ISE establishes user identity, location, and access history, which can be used for compliance and reporting.
• Cisco ISE assigns services based on the assigned user role, group, and associated policy (job role,location, device type, and so on).
• Cisco ISE grants authenticated users with access to specific segments of the network, or specific applications and services, or both, based on authentication results.

Basic User Authentication and Authorization

User authentication policies in Cisco ISE enable you to provide authentication for a number of user login session types using a variety of standard authentication protocols including, but not limited to, Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Protected Extensible Authentication Protocol (PEAP), and Extensible Authentication Protocol (EAP). Cisco ISE specifies the allowable protocol(s) that are available to the network devices on which the user tries to authenticate and specifies the identity sources from which user authentication is validated.

Cisco ISE supports 802.1X, MAC authentication bypass (MAB), and browser-based Web authentication login for basic user authentication and access via both wired and wireless networks.

Client Posture Assessment

To ensure that the imposed network security measures remain relevant and effective, Cisco ISE enables you to validate and maintain security capabilities on any client machine that accesses the protected network. By employing posture policies that are designed to ensure that the most up-to-date security settings or applications are available on client machines, the Cisco ISE administrator can ensure that any client machine that accesses the network meets, and continues to meet, the defined security standards for enterprise network access.

Posture assessment and compliance occurs using one of the following agent types available in Cisco ISE:
Cisco NAC Web Agent—A temporal agent that the users install on their system at the time of login and that is no longer visible on the client machine once the login session terminates.
Cisco NAC Agent—A persistent agent that, once installed, remains on a Windows or Mac OS X client machine to perform all security compliance functions.
AnyConnect ISE Agent — A persistent agent that can be installed on Windows or Mac OS X client to perform posture compliance functions.

Profiled Endpoints on the Network

The Profiler service assists in identifying, locating, and determining the capabilities of all endpoints on your network (known as identities in Cisco ISE), regardless of their device types, to ensure and maintain appropriate access to your enterprise network. The Cisco ISE Profiler function uses a number of probes to collect attributes for all endpoints on your network, and pass them to the Profiler analyzer, where the known endpoints are classified according to their associated policies and identity groups.

The Profiler Feed service allows administrators to retrieve new and updated endpoint profiling policies and the updated OUI database as a feed from a designated Cisco feed server through a subscription in to Cisco ISE.

Short note on Cisco Trustsec

Cisco TrustSec provides security improvements to Cisco network devices based on the capability to strongly identify users, hosts, and network devices within a network. TrustSec provides topology-independent and scalable access controls by uniquely classifying data traffic for a particular role. 

The Cisco TrustSec solution establishes clouds of trusted network devices to build secure networks. Each device in the Cisco TrustSec cloud is authenticated by its neighbors (peers). Communication between the devices in the TrustSec cloud is secured with a combination of encryption, message integrity checks, and data-path replay protection mechanisms. 

The key component of Cisco TrustSec is the Cisco Identity Services Engine (ISE). Cisco ISE can provision switches with TrustSec Identities and Security Group ACLs (SGACLs), though these may be configured manually on the switch.

Familiar with Trustsec terms

802.1AE Tagging (MACsec) - Protocol for IEEE 802.1AE-based wire-rate hop-to-hop Layer 2 encryption.Between MACsec-capable devices, packets are encrypted on egress from the transmitting device,decrypted on ingress to the receiving device, and in the clear within the devices.This feature is only available between TrustSec hardware-capable devices.

Endpoint Admission Control (EAC) - EAC is an authentication processfor an endpoint user or a device connecting to the TrustSec domain.Usually EAC takes place at the access level switch.Successful authentication and authorization in the EAC process results in Security Group Tag assignment for the user or device. Currently EAC can be 802.1X, MAC Authentication Bypass(MAB), and Web Authentication Proxy (WebAuth).

Network Device Admission Control (NDAC) - NDAC is an authentication process where each network device in the TrustSec domain can verify the credentials and trustworthiness of its peer device.NDAC utilizes an authentication framework based on IEEE 802.1X port-based authentication and uses EAP-FAST as its EAP method. Successful authentication and authorization in NDAC process results in Security Association Protocol negotiation for IEEE 802.1AE encryption 

Security Group Access Control List (SGACL) - A Security Group Access Control List (SGACL) associates a Security Group Tag with a policy. The policy is enforced uponSGT-tagged traffic egressing the TrustSec domain.

Security Association Protocol (SAP) - After NDAC authentication, the Security Association Protocol (SAP) automatically negotiates keys and the cipher suite for subsequent MACSec link encryption between TrustSec peers. SAP is defined in IEEE 802.11i.

Security Group Tag (SGT) - An SGT is a 16-bit single label indicating the security classification of a source in the TrustSec domain. It is appended to an Ethernet frame or an IP packet.

SGT Exchange Protocol (SXP) - Security Group Tag Exchange Protocol (SXP). With SXP, devicesthat are not TrustSec-hardware-capable can receive SGT attributes for authenticated users and devices from the Cisco Identity Services Engine (ISE) or the Cisco Secure Access Control System (ACS). The devices can then forward a sourceIP-to-SGT binding to a TrustSec-hardware-capable device will tag the source traffic for SGACL enforcement.

Points to Remember

  • Trustsec is a context based firewall or access control solution.Classification of system or users based on the context [users,user groups ,role of the user etc]
  • Key function of Trustsec is Classify , Propagate , Enforce 
  • Classification can be done Dynamically or statically .Need to keep in mind that NOT all platform support all types of static classification. It is  very important to verify support on hardware and software.
  • SGT information is carried in 802.1AE
  • A Cisco TrustSec-capable device that is directly connected to the authentication server, or indirectly connected but is the first device to begin the TrustSec domain, is called the seed device. Other Cisco TrustSec network devices are non-seed devices.
  • To prevent confidentiality and integrity there will be Hop by Hop encryption by 802.1AE
  • Packets are encrypted in Ingress and decrypted in Egress
  • Security Group Access Control List (SGACL) - This SGACL is not using IP addresses

Main 3 components of Cisco Trustsec are 

  • Authentication - Identify and access privileges
  • Secure Communication - Data is transferred by secure link level encryption with 802.1AE 
  • SGACL - SGACL enforces security policies before allowing endpoint access to resources

All the devices in Trustsec domain need to get authenticated itself in the Trustsec network.This will help to keep away unauthenticated devices getting network access.This is done by using
Security Group tag (SGT) 

- SGT uses a 16 bit tag for each individual role and device connected to a Trustsec domain. This Tag represent the privilege level across the entire domain
- SGT is added to packet header at the ingress point of the trustsec domain and SGT tag carry information that is used to endpoint access privilege 
- SGT will be adding to the packet at the time of authorization process when endpoint using 802.1x method to get authenticated to the network 
- SGT will be passed to a switch dynamically and later will be authenticated based on MAB /Web Auth/802.1x
- SGT will dynamically automate the process of network wired policy deployment and enforcement

How to configure port monitoring / Port Mirroring / SPAN on Cisco Switch

As a network engineer you may come across situations which You need to analyze /monitor/ Troubleshoot network traffic passing through a specific port or VLAN.

This can be done by  Switched Port Analyzer (SPAN) .Once you configure SPAN it will  send a copy of the traffic from source port to another port(destination port) on the switch and the traffic can be monitored by connecting to a computer with a wireshark (or similar software) to the destination port and configure it to capture and analyse the traffic.


Ingress Traffic: Traffic that enters the switch
Egress Traffic: Traffic that leaves the switch
Source (SPAN) port: A port that is monitored
Source (SPAN) VLAN: A VLAN whose traffic is monitored
Destination (SPAN) port: A port that monitors source ports.


Source SPAN ports are monitored for received (RX - Ingress), transmitted (TX - Egress) or bidirectional (both) traffic.  Traffic entering or exiting the Source SPAN ports is mirrored to the Destination SPAN port.

In the below example we need to monitor traffic (send and recieve) coming to interface fastEthernet0/2 and this need to be copied to destionation interface fastEthernet0/5 for monitoring.Once we setup this, we can directly connect a laptop with a wireshark to  switch interface fastEthernet0/5 and monitor all the traffic sending and receiving on interface fastEthernet0/2

Switch-A# configure terminal
Switch-A(config)# monitor session 1 source interface fastEthernet0/2 
Switch-A(config)# monitor session 1 destination interface fastEthernet0/5
Switch-A(config)# exit

Confirming the monitoring session and operation requires one simple command, show monitor:

Switch-A# show monitor

Session 1
Type              : Local Session
Source Ports      :
Both          : Fa0/2
Destination Ports : Fa0/3
Encapsulation: Native
Ingress: Disabled

NOTE : show monitor session 1 detail can be used to see more details

NOTE : Once the port monitoring is activated no traffic is send OUT from destination Interface .It will only recieve the traffic copied from source interface .Also note that this setup do not affect the switching of network traffic on source ports.


Filtering logs in monitoring tab of Palo Alto

One of the best feature I loved in NGFW palo alto network is its search functionality .By default all log files are generated and stored locally on the firewall .

Filtering of traffic in monitor tab of paloalto helps us to find many things including
1.whether a traffic is getting allowed or denied
2.To filter traffic based on host, zone, port, action etc
3.To filter traffic between a specified time
4.Filter traffic from a particular user
5.Filter traffic to or from a specific IP /Network /Zone

In some cases we should have successfully created the policy in PaloAlto but we may forget to add the needed port in  that rule.When a user is complaining that he is not able to access a particular service in a  particular server we can easily figure out whats going on by reviewing the logs in monitoring tab of PaloAlto.

Login to PaloAlto and Goto Monitor > Traffic(left tab).There you can see the traffic flow .To change the automatic refresh interval, select an interval from the drop-down (1 min, 30 seconds, 10 seconds,or Manual).

To change the number of log entries per page, select the number of rows from the Rows drop-down

Select the Resolve Hostname check box to begin resolving external IP addresses to domain names.

To filter traffic from source 

1.Click on any IP in the source field
2.It will automatically add addr.src in x.x.x.x in the filter bar. eg (addr.src in 
3.Press ENTER.
4.It will show all the traffic generating from
5.Edit IP as per your need.

Some other examples

Destination Filter: (addr.dst in - shows all traffic with a destination address of a host that matches
Filter a source network : ( addr.src in ) - shows all traffic from network
Filter a destination network : (addr.dst in  - shows all traffic to network

Filter using Source and Destination

(addr.src in AND (addr.dst in - shows all traffic coming from a host with an IP address of and going to a host destination address of

Filter for source OR destination

(addr in - Shows all traffic with a source OR destination address of a host that matches

Zone Traffic Filter Examples 


(zone.src eq TRUST) - shows all traffic coming from the TRUST zone


(zone.dst eq UNTRUST) - shows all traffic going out the UNTRUST zone

(zone.src eq TRUST) and (zone.dst eq UNTRUST) - shows all traffic traveling from the TRUST zone and going out the through UNTRUST

PORT Traffic Filter Examples


(port.src eq 22)- shows all traffic traveling from source port 22


(port.dst eq 80)- shows all traffic traveling to destination port 80

Allowed/Denied Traffic Filter Examples 


(action eq allow) 
(action neq deny)

Example: (action eq allow)- Shows all traffic allowed by the firewall rules.

NOTE: Placing the letter 'n' in front of 'eq' means 'not equal to,' so anything not equal to 'deny' is displayed, which is any allowed traffic.


(action eq deny)
(action neq allow)

Example: (action eq deny) - Shows all traffic denied by the firewall rules.

NOTE: Placing the letter 'n' in front of 'eq' means 'not equal to,' so anything not equal to 'allow' is displayed, which is any denied traffic.

TRAFFIC from a particular user

(user.src eq 'Sysnet\Shabeer') - Shows traffic from that particular user [Sysnet is domain and shabeer is username]

Combining Traffic Filter Examples

Show denied traffic from SOURCE 

(addr.src in ) and (action eq deny)


(addr.src in and (addr.dst in and (port.dst eq 80) and (action eq allow)


(zone.src eq DEVELOPMENT) and (addr.src in and (addr.dst in and (zone.dst eq SECURITY) 

NOTE : You don't need to remember any of the filters mentioned above.Its very simple to create even complex filters .You can simply click the needed criteria on the logs and it will automatically add to the filtering.You just need to edit the particular zone/IP address/Port number or Action

For example
Below screenshot shows traffic from user plano2003\csharma. If you want to search custom user all you need to do is to
1. Click on any user below "Source user"  here it is (user.src eq 'plano2003\csharma')
2.Then it will add(user.src eq 'plano2003\csharma') to the filter bar. edit it with your custom username
1.To create a filter go to Monitor > Traffic
2. Just CLICK on the custom field you need to make a filter ie click on any field under From Zone / To Zone / Source / Source user / Destination / To port / Application / Action .In the above example we create filter using source user
3.Edit the IP/ZONE/PORT/ACTION as per your need
4..Press ENTER and it will show the custom traffic you need to see.