07-02-2015 08:09 AM - edited 03-10-2019 10:52 PM
We've got an ACS 5.7 server on which a CLI admin account has been locked out. When attempting to log in, I see:
[tmartino@acomputer ~]$ ssh lockedaccount@acs09
Copyright(c) 2015 Cisco Systems, Inc. All rights Reserved
Account locked due to 152 failed logins
Password:
Account locked due to 153 failed logins
Password:
So, no big deal, I tried to reset it. I noticed the disabled flag was not set for the account, so I just removed the account and added it again. Same message, with the count incrementing from where it stopped the last time.
I tried again, this time attempting to log in to the account after it had been deleted, before adding it again. Same result.
A scan of the documentation revealed no method to correct this. Is there any way to allow this account to log in again?
07-06-2015 08:37 AM
Enter configuration commands, one per line. End with CNTL/Z.
cacsd001/cciesec(config)# password-policy
cacsd001/cciesec(config-password-policy)# no password-lock-enabled
cacsd001/cciesec(config-password-policy)#
07-10-2015 08:21 AM
If the admin account is locked, so how can you get to config mode unless you have another admin account to logon?
06-25-2016 09:14 PM
Hi,
Same question here :( I have one account for CLI and I am pretty sure it has been locked out bcz I tried many times to reset it through booting from ISO but no success.
Now, what can I do to get to CLI??!!
07-04-2016 12:07 AM
Hi All,
We have bug ( CSCuy45998) for this issue.
Thanks
VenkataKrishna
07-07-2016 04:38 AM
Hi Elisa,
Please rate helpful posts and mark correct answers.
Thanks
VenkataKrishna
02-10-2017 10:41 AM
Your bug listed above does not answer the question, "What do I do to recover my Admin account?"
All the bug does is tells us to disable the password lock option. If we are locked out of our system, how do we do that?
05-24-2017 09:53 AM
Hi,
same issue at one of my clients.
Its great to to have a bug.
And the only workaround requires a successful logon to ACS CLI.
You can only do this by using another unlocked account.
I would bet that this second account is rarely available.
How can I then login to ACS CLI ?
If there is no hidden Backdoor in ACS we have no solution.
Fix would be:
creating an install/recoveryCD that not only sets a new password
but resets the "account locked" status in ACS as well.
BR,
Frank
04-03-2018 12:21 PM
I have tried your suggestion, but still not able to login. Do we have alternate option to unlock the user ID
05-08-2018 06:35 AM
Hello everyone.
The one mentioned by @vthaluru is correct. It is a BUG and there is still no solution to date.
You have three options to solve it.
1) Login with a non-blocked user and execute the following.
"Enter the configuration commands,
(config) # password-policy
(config-password-policy) # password-lock-retry-count 20
(config-password-policy) #
Log in with the blocked user
Then reconfigure
(config) # password-policy
(config-password-policy) # password-lock-retry-count 5
This is the only way to return the counter to 0.
2) Reply by @cciesec2011
The negative is that you stop having a security policy.
3) If you do not have a unblocked account, you just have to use the password recovery which is described in the ACS device guide for your version.
Regards.
10-18-2017 02:07 PM
In ISE 2.1 I just changed the security policy in the GUI to not suspend or lock out the accounts. After that cascaded to the nodes I was able to logon with a backup account I had and then reset the password and login as admin.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide