cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14459
Views
7
Helpful
10
Replies

ACS 5.7 CLI Account Locked

Tony M
Level 1
Level 1

We've got an ACS 5.7 server on which a CLI admin account has been locked out. When attempting to log in, I see:

[tmartino@acomputer ~]$ ssh lockedaccount@acs09
Copyright(c) 2015 Cisco Systems, Inc. All rights Reserved

Account locked due to 152 failed logins
Password:
Account locked due to 153 failed logins
Password:

So, no big deal, I tried to reset it. I noticed the disabled flag was not set for the account, so I just removed the account and added it again. Same message, with the count incrementing from where it stopped the last time.

I tried again, this time attempting to log in to the account after it had been deleted, before adding it again. Same result.

A scan of the documentation revealed no method to correct this. Is there any way to allow this account to log in again?

10 Replies 10

cciesec2011
Level 3
Level 3

Enter configuration commands, one per line.  End with CNTL/Z.
cacsd001/cciesec(config)# password-policy
cacsd001/cciesec(config-password-policy)# no password-lock-enabled
cacsd001/cciesec(config-password-policy)#

If the admin account is locked, so how can you get to config mode unless you have another admin account to logon?
 

Hi,

Same question here :( I have one account for CLI and I am pretty sure it has been locked out bcz I tried many times to reset it through booting from ISO but no success.

Now, what can I do to get to CLI??!!

Hi All,

We have bug ( CSCuy45998) for this issue.

Thanks

VenkataKrishna

Hi Elisa,

Please rate helpful posts and mark correct answers.

Thanks

VenkataKrishna

Your bug listed above does not answer the question, "What do I do to recover my Admin account?"

All the bug does is tells us to disable the password lock option.  If we are locked out of our system, how do we do that?

Hi,

same issue at one of my clients.

Its great to to have a bug.

And the only workaround requires a successful logon to ACS CLI.
You can only do this by using another unlocked account.

I would bet that this second account is rarely available.

How can I then login to ACS CLI ?

If there is no hidden Backdoor in ACS we have no solution.

Fix would be:

creating an install/recoveryCD that not only sets a new password

but resets the "account locked" status in ACS as well.

BR,

Frank

I have tried your suggestion, but still not able to login. Do we have alternate option to unlock the user ID

 

Hello everyone.


The one mentioned by @vthaluru is correct. It is a BUG and there is still no solution to date.
You have three options to solve it.
1) Login with a non-blocked user and execute the following.
"Enter the configuration commands, 
(config) # password-policy
(config-password-policy) # password-lock-retry-count 20
(config-password-policy) #

 

Log in with the blocked user
Then reconfigure

(config) # password-policy
(config-password-policy) # password-lock-retry-count 5

This is the only way to return the counter to 0.

 

2) Reply by @cciesec2011
The negative is that you stop having a security policy.

 

3) If you do not have a unblocked account, you just have to use the password recovery which is described in the ACS device guide for your version.

 

Regards.

 

Jodie
Level 1
Level 1

In ISE 2.1 I just changed the security policy in the GUI to not suspend or lock out the accounts.  After that cascaded to the nodes I was able to logon with a backup account I had and then reset the password and login as admin.