cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
420
Views
0
Helpful
3
Replies
Highlighted
Participant

Application Network Manager 4.1(0)

Hi all,

When configuring the ANM to import 6500 chassis' and ACE modules, I used an account whose password needs to be changed every so often.

I've looked for a way to change the password in the ANM for this account however I can't seem to find where to do it.  Is there a way to change the password of the account in question on the ANM?  I think the ANM uses this account to log in and check health of the ACEs etc as I'm seeing loads of auth in our ACS server.

There is an 'Update Password..." button at the bottom of the Config->Import Devices screen however it isn't clear as to whether it updates the account's password or something else.  Does anyone know how I might go about changing the password for the user account?

Or better yet, is there a way to change the account to an account that doesn't have finite passwords?

For reference, the ANM uses an account that authenticates against an ACS box, that ACS box then authenticates via LDAP againt our Domain.

Thanks for any help.  Helpful posts will be rated!

Brad

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi Brad,

The "Update password" button will not only update the password ANM is using to access the device, but also the password on the device itself for that user (assuming it's a local user).

I'm not sure how it would work if you are using an external authentication system in your ACE, but my guess is that it will create a local user on your ACE with the new credentials. Even in this case, authentication will still work, because I'm sure the ACE is configured to use the external authentication system first.

Anyway, as best practice, I would recommend you to define a username on the ACE to be used only by ANM, ideally defined locally on the devices, or if this is not possible, at least with a not-expiring password.

Regards

Daniel

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Hi Brad,

The "Update password" button will not only update the password ANM is using to access the device, but also the password on the device itself for that user (assuming it's a local user).

I'm not sure how it would work if you are using an external authentication system in your ACE, but my guess is that it will create a local user on your ACE with the new credentials. Even in this case, authentication will still work, because I'm sure the ACE is configured to use the external authentication system first.

Anyway, as best practice, I would recommend you to define a username on the ACE to be used only by ANM, ideally defined locally on the devices, or if this is not possible, at least with a not-expiring password.

Regards

Daniel

View solution in original post

Highlighted

Thanks Daniel, sound advice.

This creates a little conundrum however. If i change the login policy for the ANM to login to the ACE modules from the ACS to local accounts, then it also changes the login policy for ALL users logging into the ACE modules.  My understanding is ACEs default to the local user database if the ACS server isn't available.

The ANM is primarily used by the application guys who look after their own bits within the ANM (eg specific contexts and so on) and us networking people go straight to the CLI.

What I'll do today is change the account it uses to an AD service account (authenticating to ACS which then authenticates to LDAP) and I'll also put that account in the local database.  The service account's password will never change.

I'll report back when I've done it to let you know if it's a goer.

Thanks for your advice.

Brad

Highlighted

To get this working I ended up doing:

Deleting the chassis from the ANM from the Config->Guided Setup->Import Devices screen and then adding the chassis back in with the new username and consequent password.

As I needed to keep remote authentication (via) ACS for all other users I had to give the ANM a user that could be auth'd remotely.  An AD service account was created for this authentication purpose only.  In the ACS, I gave that user sufficient privileges and had it authing to AD.

Apart from not being able to auth if the ACS server or AD is down, this seems to be working okay.

PS..  In retrospect I perhaps should have created a local user first before I did the AD thing because now when I try to add that user in as a local user (in case of the unlikely event of the aforementioned problem of losing AD or ACS) the ACE module says that the user is already a remote user and I can't add it as a local user..

Thanks all.

Brad

Content for Community-Ad