Does password recovery procedure on CM allow you into GUI?
I have a customer with 3 WAAS appliances and a CM running WAAS 4.1.3a. The customer has lost their network engineer and they do not have the admin passwords. I can telnet to the CLI of all devices but I am trying to access the CM GUI and don't get privileged access with my account. The CM has 2 accounts showing in the config, the admin account and another which is specific to this customer. Both have privilege 15 but I don't know the password to either. The primary authentication mechanisms for login and configuration are set to tacacs with the secondary set to local. I am able to login to the command line using a support account that we have the password for so it appears that tacacs is working but if I use this account on the GUI it logs me in but does not give me privileged access to the GUI. I think I read somewhere that the GUI uses a different authentication mechanism and to get privileged access to the GUI the account has to be created within the GUI. Is that right?
Unfortunately I don't have access to the tacacs server and we don't look after it so I can't just change the admin password in the tacacs server.
With the support account I have on the CLI, when I try to change the admin account password it says:
waas-cm(config)#username admin passwd Warning: User configuration performed via CLI may be overwritten by the central manager. Please use the central manager to configure user accounts. New WAAS password:
If I try to login to the GUI using the new password I set then it doesn't work but I am not sure if that is because it is trying to use tacacs to authenticate the GUI or because the CM over-wrote it.
I found the password recovery/change procedure but I wasn't sure if this would help me get into the GUI or just the cli. If I reload the box and follow the procedure to change the admin password then will this change the password used by the GUI? Should I be concentrating on the CM or focussing on the tacacs server which isn't in this site and which I don't look after? If I change the admin password using the recovery procedure and then remove the tacacs config then will I be able to get into the GUI using the new admin password? Any other suggestions of what I can do?
Since you have CLI access to the CM, why not telnet/ssh to the CM remove the TACACS configuration temporarily so users aren't check against TACACS when you try to login to the CM GUI. Then since you don't know the admin password you could change it via the CLI command you previously used, and then try to login to the CM GUI with that admin account.
Once you have the known admin account you can reconfigure your TACACS configuration as it was before.
Now I suspect the reason you were able to login to the CM GUI with the support account, but you had no privileges was because this support user or the group in TACACS it belongs to was not defined in the CM GUI under Admin -> AAA -> Users. Since the TACACS server in this case does the authentication, but the authorization to view certain pages within the CM GUI is done on the CM itself. So, it is required to have the user or the group defined in the CM GUI with the appropriate role(s) associated to that object.
Once you define this support user account within the CM GUI it too should have access when TACACS is enabled. Here are the steps I would take:
Log into your CM via SSH/Telent with your TACACS user
credentials. Once in here do the following:
NC-WAAS-CM(config)#no authentication fail-over server-unreachable
NC-WAAS-CM(config)#authentication login local enable primary
NC-WAAS-CM(config)#authentication login tacacs enable secondary
Log into the CM GUI with the local WAE credentials (admin, ).
Go to Admin -> AAA -> Users -> Add a user -> Specify the support username
you added to your TACACS server and click Submit (no need to change any other
fields) -> Select Role Management -> Assign this user the admin role (or
whichever custom role(s) you have defined) and click submit.
Back on the CLI:
NC-WAAS-CM(config)#authentication login local enable secondary
NC-WAAS-CM(config)#authentication login tacacs enable primary
NC-WAAS-CM(config)#authentication fail-over server-unreachable
Log out of the CM GUI, and try to log back in with your TACACS credentials.
Here is the configuration guide section on user accounts and groups which may help explain in more detail.
The 2021 IT Blog Awards, hosted by Cisco, is now open for submissions. Submit your blog, vlog or podcast by Friday, December 3.
To learn what's new in this year's competition or to gain insights into the judging considerations, check out ...
Data Center and Cloud Networking News
Cisco Nexus Dashboard Open Ecosystem with Splunk
End-to-End Flow State Validation with Nexus Dashboard Insights Connectivity Analysis
Cisco Q1 NPI Announcements for Data Center and Cloud Networking
We delivered a partner enablement training session in September 2021 to share the ACI upgrade Best Practices.
The slide deck is enclosed here for wider audience in the community, it provides more details in terms of the best practices, tools and co...
What is Cisco ACI Anywhere?What are ACI connectivity options for managing Primary On-Prem DCs?What are ACI options for extending your Data center to secondary remote locations (Physical)?How ACI provides centralized network policy framework for workloads ...
Cloud Networking Community on Cisco Customer Connection
Join our community!!
As a valued Cisco Cloud Networking (former DCN) customer, you can be part of Cisco Customer Connection Program (CCP), Cisco’s global online community program. Connect ...