Does password recovery procedure on CM allow you into GUI?
I have a customer with 3 WAAS appliances and a CM running WAAS 4.1.3a. The customer has lost their network engineer and they do not have the admin passwords. I can telnet to the CLI of all devices but I am trying to access the CM GUI and don't get privileged access with my account. The CM has 2 accounts showing in the config, the admin account and another which is specific to this customer. Both have privilege 15 but I don't know the password to either. The primary authentication mechanisms for login and configuration are set to tacacs with the secondary set to local. I am able to login to the command line using a support account that we have the password for so it appears that tacacs is working but if I use this account on the GUI it logs me in but does not give me privileged access to the GUI. I think I read somewhere that the GUI uses a different authentication mechanism and to get privileged access to the GUI the account has to be created within the GUI. Is that right?
Unfortunately I don't have access to the tacacs server and we don't look after it so I can't just change the admin password in the tacacs server.
With the support account I have on the CLI, when I try to change the admin account password it says:
waas-cm(config)#username admin passwd Warning: User configuration performed via CLI may be overwritten by the central manager. Please use the central manager to configure user accounts. New WAAS password:
If I try to login to the GUI using the new password I set then it doesn't work but I am not sure if that is because it is trying to use tacacs to authenticate the GUI or because the CM over-wrote it.
I found the password recovery/change procedure but I wasn't sure if this would help me get into the GUI or just the cli. If I reload the box and follow the procedure to change the admin password then will this change the password used by the GUI? Should I be concentrating on the CM or focussing on the tacacs server which isn't in this site and which I don't look after? If I change the admin password using the recovery procedure and then remove the tacacs config then will I be able to get into the GUI using the new admin password? Any other suggestions of what I can do?
Since you have CLI access to the CM, why not telnet/ssh to the CM remove the TACACS configuration temporarily so users aren't check against TACACS when you try to login to the CM GUI. Then since you don't know the admin password you could change it via the CLI command you previously used, and then try to login to the CM GUI with that admin account.
Once you have the known admin account you can reconfigure your TACACS configuration as it was before.
Now I suspect the reason you were able to login to the CM GUI with the support account, but you had no privileges was because this support user or the group in TACACS it belongs to was not defined in the CM GUI under Admin -> AAA -> Users. Since the TACACS server in this case does the authentication, but the authorization to view certain pages within the CM GUI is done on the CM itself. So, it is required to have the user or the group defined in the CM GUI with the appropriate role(s) associated to that object.
Once you define this support user account within the CM GUI it too should have access when TACACS is enabled. Here are the steps I would take:
Log into your CM via SSH/Telent with your TACACS user
credentials. Once in here do the following:
NC-WAAS-CM(config)#no authentication fail-over server-unreachable
NC-WAAS-CM(config)#authentication login local enable primary
NC-WAAS-CM(config)#authentication login tacacs enable secondary
Log into the CM GUI with the local WAE credentials (admin, ).
Go to Admin -> AAA -> Users -> Add a user -> Specify the support username
you added to your TACACS server and click Submit (no need to change any other
fields) -> Select Role Management -> Assign this user the admin role (or
whichever custom role(s) you have defined) and click submit.
Back on the CLI:
NC-WAAS-CM(config)#authentication login local enable secondary
NC-WAAS-CM(config)#authentication login tacacs enable primary
NC-WAAS-CM(config)#authentication fail-over server-unreachable
Log out of the CM GUI, and try to log back in with your TACACS credentials.
Here is the configuration guide section on user accounts and groups which may help explain in more detail.
Hello,I understand that Contracts in ACI that are enfored by the leafs are stateless ACL. When is an ACI Contract stateful?- as far as I know when using AVS/AVE?- what about when using Kubernetes/Openstack integration with ovs?
*This event has been rescheduled for causes beyond our control, we appreciate your understanding.
[ The link to the discussion will be published on December 7th ]
This event is an opportunity to have your questions answered on tools available for Nexus 30...
I'm having a strange problem redistributing iBGP routes to OSPF on Nexus 9000. Initially I had an open prefix list to get things working. Some of the routes weren't being redistributed to OSPF and I found this article which helped which said you nee...