Enter configuration commands,

Tony M · ‎07-02-2015

We've got an ACS 5.7 server on which a CLI admin account has been locked out. When attempting to log in, I see:

[tmartino@acomputer ~]$ ssh lockedaccount@acs09
Copyright(c) 2015 Cisco Systems, Inc. All rights Reserved

Account locked due to 152 failed logins
Password:
Account locked due to 153 failed logins
Password:

So, no big deal, I tried to reset it. I noticed the disabled flag was not set for the account, so I just removed the account and added it again. Same message, with the count incrementing from where it stopped the last time.

I tried again, this time attempting to log in to the account after it had been deleted, before adding it again. Same result.

A scan of the documentation revealed no method to correct this. Is there any way to allow this account to log in again?

cciesec2011 · ‎07-06-2015

Enter configuration commands, one per line. End with CNTL/Z.
cacsd001/cciesec(config)# password-policy
cacsd001/cciesec(config-password-policy)# no password-lock-enabled
cacsd001/cciesec(config-password-policy)#

m-ko · ‎07-10-2015

If the admin account is locked, so how can you get to config mode unless you have another admin account to logon?

elisa · ‎06-25-2016

Hi,

Same question here :( I have one account for CLI and I am pretty sure it has been locked out bcz I tried many times to reset it through booting from ISO but no success.

Now, what can I do to get to CLI??!!

vthaluru · ‎07-04-2016

Hi All,

We have bug ( CSCuy45998) for this issue.

Thanks

VenkataKrishna

vthaluru · ‎07-07-2016

Hi Elisa,

Please rate helpful posts and mark correct answers.

Thanks

VenkataKrishna

slovett · ‎02-10-2017

Your bug listed above does not answer the question, "What do I do to recover my Admin account?"

All the bug does is tells us to disable the password lock option. If we are locked out of our system, how do we do that?

ffischer · ‎05-24-2017

Hi,

same issue at one of my clients.

Its great to to have a bug.

And the only workaround requires a successful logon to ACS CLI.
You can only do this by using another unlocked account.

I would bet that this second account is rarely available.

How can I then login to ACS CLI ?

If there is no hidden Backdoor in ACS we have no solution.

Fix would be:

creating an install/recoveryCD that not only sets a new password

but resets the "account locked" status in ACS as well.

BR,

Frank

jpillai · ‎04-03-2018

I have tried your suggestion, but still not able to login. Do we have alternate option to unlock the user ID

Moreira · ‎05-08-2018

Hello everyone.

The one mentioned by @vthaluru is correct. It is a BUG and there is still no solution to date.
You have three options to solve it.
1) Login with a non-blocked user and execute the following.
"Enter the configuration commands,
(config) # password-policy
(config-password-policy) # password-lock-retry-count 20
(config-password-policy) #

Log in with the blocked user
Then reconfigure

(config) # password-policy
(config-password-policy) # password-lock-retry-count 5

This is the only way to return the counter to 0.

2) Reply by @cciesec2011
The negative is that you stop having a security policy.

3) If you do not have a unblocked account, you just have to use the password recovery which is described in the ACS device guide for your version.

Regards.

Jodie · ‎10-18-2017

In ISE 2.1 I just changed the security policy in the GUI to not suspend or lock out the accounts. After that cascaded to the nodes I was able to logon with a backup account I had and then reset the password and login as admin.

ACS 5.7 CLI Account Locked