Does password recovery procedure on CM allow you into GUI?
I have a customer with 3 WAAS appliances and a CM running WAAS 4.1.3a. The customer has lost their network engineer and they do not have the admin passwords. I can telnet to the CLI of all devices but I am trying to access the CM GUI and don't get privileged access with my account. The CM has 2 accounts showing in the config, the admin account and another which is specific to this customer. Both have privilege 15 but I don't know the password to either. The primary authentication mechanisms for login and configuration are set to tacacs with the secondary set to local. I am able to login to the command line using a support account that we have the password for so it appears that tacacs is working but if I use this account on the GUI it logs me in but does not give me privileged access to the GUI. I think I read somewhere that the GUI uses a different authentication mechanism and to get privileged access to the GUI the account has to be created within the GUI. Is that right?
Unfortunately I don't have access to the tacacs server and we don't look after it so I can't just change the admin password in the tacacs server.
With the support account I have on the CLI, when I try to change the admin account password it says:
waas-cm(config)#username admin passwd Warning: User configuration performed via CLI may be overwritten by the central manager. Please use the central manager to configure user accounts. New WAAS password:
If I try to login to the GUI using the new password I set then it doesn't work but I am not sure if that is because it is trying to use tacacs to authenticate the GUI or because the CM over-wrote it.
I found the password recovery/change procedure but I wasn't sure if this would help me get into the GUI or just the cli. If I reload the box and follow the procedure to change the admin password then will this change the password used by the GUI? Should I be concentrating on the CM or focussing on the tacacs server which isn't in this site and which I don't look after? If I change the admin password using the recovery procedure and then remove the tacacs config then will I be able to get into the GUI using the new admin password? Any other suggestions of what I can do?
Since you have CLI access to the CM, why not telnet/ssh to the CM remove the TACACS configuration temporarily so users aren't check against TACACS when you try to login to the CM GUI. Then since you don't know the admin password you could change it via the CLI command you previously used, and then try to login to the CM GUI with that admin account.
Once you have the known admin account you can reconfigure your TACACS configuration as it was before.
Now I suspect the reason you were able to login to the CM GUI with the support account, but you had no privileges was because this support user or the group in TACACS it belongs to was not defined in the CM GUI under Admin -> AAA -> Users. Since the TACACS server in this case does the authentication, but the authorization to view certain pages within the CM GUI is done on the CM itself. So, it is required to have the user or the group defined in the CM GUI with the appropriate role(s) associated to that object.
Once you define this support user account within the CM GUI it too should have access when TACACS is enabled. Here are the steps I would take:
Log into your CM via SSH/Telent with your TACACS user
credentials. Once in here do the following:
NC-WAAS-CM(config)#no authentication fail-over server-unreachable
NC-WAAS-CM(config)#authentication login local enable primary
NC-WAAS-CM(config)#authentication login tacacs enable secondary
Log into the CM GUI with the local WAE credentials (admin, ).
Go to Admin -> AAA -> Users -> Add a user -> Specify the support username
you added to your TACACS server and click Submit (no need to change any other
fields) -> Select Role Management -> Assign this user the admin role (or
whichever custom role(s) you have defined) and click submit.
Back on the CLI:
NC-WAAS-CM(config)#authentication login local enable secondary
NC-WAAS-CM(config)#authentication login tacacs enable primary
NC-WAAS-CM(config)#authentication fail-over server-unreachable
Log out of the CM GUI, and try to log back in with your TACACS credentials.
Here is the configuration guide section on user accounts and groups which may help explain in more detail.
Pondering Automation has moved! It is now a part of the standard Cisco blogs in DevNet!
You can find the general blogs here: blogs.cisco.com
And you can find the newest pondering automation here: https://blogs.cisco.com/developer/ponderinga...
Here are some commonly asked questions and answers to help with your adoption of Cisco ACI solution. Subscribe to this post to stay up-to-date with the latest Q&A and recommended Ask the Experts (ATXs) sessions to attend.