cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1997
Views
5
Helpful
6
Replies

Migrations from ACS to ISE

Moreplovac
Level 1
Level 1

Hello

we are preparing migration for a customer, from ACS 5.8 to ISE and want to use migration utility; this utility require to enable migration interface using command acs config-web-interface migration enable on ACS CLI.

Unfortunately access to CLI (using admin) is not available due to admin account being locked due to 544 failed logins. We have tried to reset password via CD recovery successfully but cannot login with the new password.


Is there any way to unlock the admin account? Or any other way to enter above migration interface?

Appreciate assistance

 

 

 

 

 

 

 

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

you need to try again recover DVD and change the defaul value not to unlock.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for your reply; i am guessing you need to login with admin un/pw in order to change default  value, but as i mentioned i am unable to login after successfully reset admin password, due to number of failure login attempts.

 

Any other suggestions?

 

 

Damien Miller
VIP Alumni
VIP Alumni
You'll have no choice but to follow the reset process in this guide.
https://community.cisco.com/t5/security-documents/acs-5-x-cli-password-recovery-procedure/ta-p/3125810

Once in, you can add a command to prevent another lockout.

(config)# password-policy
(config-password-policy)# no password-lock-enabled

From there you can enable the migration.


Migration tool works pretty good, you'll still need to do some policy cleanup since the logic is not identical. Still saves a lot of time in any sizable deployment, so worth taking the time to reset imo.

Thanks Damien

I did went thru password reset process but unfortunately i cannot log in with admin un/pw, pls see attached...

The same thing is happening on my second ACS (standby).

 

Is there any way to prevent lockouts using GUI?

 

 

 

If you were on ISE, then the password/account lockout policy is available from the GUI, but I don't remember ever seeing this same menu in ACS.  

 

For your immediate ACS issue.  Can you remove the network connection while you perform the reset? If so, then perform it again, then from the console disabled the lockout with the two prior commands I shared. Enable the network again after.

 

The other option is to create a new admin account with, something like admin2, instead of just admin.  It is unlikely that admin2 will get locked out in the same way.  

 

 

Thanks Damien for quick respond. 

What i actual done is: cloned the production ACS VM; disabled the network interfaces; added CD, boot off CD and changed admin password; reloaded cloned ACS and attempted to login to ACS. The login was unsuccessful with error message i have attached. 

On production ACS, i have added other user as admin2 but i believe this is just GUI user, no access to console, right?